Hi Klaus,
Just needed to re-confirm couple of things here
1. I understand that the NGINX version shipped by default is secured and will
be updated with patches should there be some security issues. But my question
is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in
Debian 10, soon ? If yes, when ?
2. Please provide some kind of confirmation on CVE-2020-11879
If Vulnerability was already addressed, please point me to some article
which confirms the same.
If not addressed, please confirm on when can we expect 3.35.91 or
greater version to be available in Debian 10?
Thanks,
Revanth.
-----Original Message-----
From: Klaus Singvogel <[email protected]>
Sent: 15 September 2020 15:10
To: Suryadevara, Revanth <[email protected]>
Cc: [email protected]
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
Hi Revanth,
as you might have found out now, the Debian Security team is backporting
security patches to older versions of OpenSource software, and Debian 10 isn't
insecure.
The advantage of backporting is, that you don't have to adapt config files to
latest syntax on an update, nor introduce incompatible libraries to your system
on update.
So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when the
package maintainer doesn't support this version anymore.
I want to thank here the Debian Security team for there excellent job they did
in the past and the future. Thank you.
Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the proof,
but I think this points out to the fact the shipped version isn't affected.
Best regards,
Klaus.
Suryadevara, Revanth wrote:
> Hi Klaus,
>
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, According
> to nginx download page,
> (https://us-east-2.protection.sophos.com?d=nginx.org&u=aHR0cDovL25naW54Lm9yZy9lbi9kb3dubG9hZC5odG1s&e=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20=&t=QjhjRHpDSVhOY2tZQWxCRzZrQTdxSXRJRklrSko2bEVqbnBFcGhvZGhzZz0=&h=8babb3b80f934e38bc57897e4ca56711)
> Nginx 1.14.x is no longer supported and will not be getting regular patches.
> So, if any security Vulnerabilities arise then system would be at high risk
> as the vendor no longer provide updates.
>
> 2.) Pertaining to GNOME Evolution , the CVE-ID is CVE-2020-11879 . This ID
> isn't present in the links which you've shared.
>
> Thanks,
> Revanth.
>
> -----Original Message-----
> From: Klaus Singvogel <[email protected]>
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth <[email protected]>
> Cc: [email protected]
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME
> Evolution
>
> Suryadevara, Revanth wrote:
> >
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution
> > v3.30.5-1.1 installed along with other packages.
> >
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be
> > available in Debian 10 ?
>
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
>
>
> https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L
> 25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n&e=cmV2YW50aC5zdXJ5YWRldmFy
> YUBhcmNzZXJ2ZS5jb20=&t=V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkF
> Pc084Y0NRdz0=&h=1d129af62b6248948c99efacbb1de4f1
>
>
> https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1d
> Glvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c=&e=cmV2YW50aC5zdXJ5YWRl
> dmFyYUBhcmNzZXJ2ZS5jb20=&t=eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3N
> tNno3aHRtY25yVT0=&h=1d129af62b6248948c99efacbb1de4f1
>
> Please name us the CVE identifiers, which you believe Debian 10 is affected
> by.
>
> Thanks in advance.
>
> Best regards,
> Klaus.
> --
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D 1994-06-27
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
