On Tue, 2022-08-30 at 22:45 +0200, Maxime Pietrucci-Blacher wrote: > Good evening, I have come to contact you to find out if the nginx- > common and nginx-core packages are going to be updated soon, as there > are many problems with the use of TLS on these two packages as they > are no longer up to date. > Also, I would like to know if there is a way to fix this independently > or if it is necessary to wait (an update of the package which seems > urgent to me, considering the recent CVE). > Thank you for your help, > Maxime Pietrucci-Blacher >
I'm neither an Ubuntu developer nor a nginx user, but I wonder: - Which Ubuntu release are you using? - What are those TLS issues? - Is any CVE fix missing? http://nginx.org/en/security_advisories.html https://ubuntu.com/security/cves?package=nginx Ubuntu is a release model distro, important isn't the upstream version. important are the security fixes of the version used by the Ubuntu release. https://packages.ubuntu.com/bionic/nginx http://archive.ubuntu.com/ubuntu/pool/main/n/nginx/nginx_1.14.0-0ubuntu1.10.debian.tar.xz From the changelog: "nginx (1.14.0-0ubuntu1.10) bionic-security; urgency=medium * SECURITY UPDATE: ALPACA TLS issue - debian/patches/CVE-2021-3618.patch: specify the number of errors after which the connection is closed in src/mail/ngx_mail.h, src/mail/ngx_mail_core_module.c and src/mail/ngx_mail_handler.c. - CVE-2021-3618 * SECURITY UPDATE: request mutation by unsafe characters - Add input validation to requests in Lua module in debian/modules/http-lua/src/ngx_http_lua_control.c, debian/modules/http-lua/src/ngx_http_lua_headers_in.c, debian/modules/http-lua/src/ngx_http_lua_headers_out.c, debian/modules/http-lua/src/ngx_http_lua_uri.c, debian/modules/http-lua/src/ngx_http_lua_util.h and debian/modules/http-lua/src/ngx_http_lua_util.h. - CVE-2020-36309 * SECURITY UPDATE: request smuggling in ngx.location.capture - Add manual crafting of Content-Length in case request is chunked in debian/modules/http-lua/src/ngx_http_lua_subrequest.c. - CVE-2020-11724 -- David Fernandez Gonzalez <[email protected]> Tue, 12 Apr 2022 11:00:15 +0200 nginx (1.14.0-0ubuntu1.9) bionic-security; urgency=medium * SECURITY UPDATE: DNS Resolver issues - debian/patches/CVE-2021-23017-1.patch: fixed off-by-one write in src/core/ngx_resolver.c. - debian/patches/CVE-2021-23017-2.patch: fixed off-by-one read in src/core/ngx_resolver.c. - CVE-2021-23017 -- Marc Deslauriers <[email protected]> Tue, 25 May 2021 13:11:02 -0400 [snip]" Regards, Ralf -- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
