[Solved] Nginx security on Ubuntu Server
[Solved] Nginx security on Ubuntu Server
Hello,
I have receive this mail about a security bug for Ubuntu server:
I have receive this mail about a security bug for Ubuntu server:
I have Trusty installed (14.04.3) and I have this deposit activated:==========================================================================
Ubuntu Security Notice USN-2991-1
June 02, 2016
nginx vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 15.10
- Ubuntu 14.04 LTS
Summary:
nginx could be made to crash if it received specially crafted network
traffic.
Software Description:
- nginx: small, powerful, scalable web/proxy server
Details:
It was discovered that nginx incorrectly handled saving client request
bodies to temporary files. A remote attacker could possibly use this issue
to cause nginx to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
nginx-core 1.10.0-0ubuntu0.16.04.2
nginx-extras 1.10.0-0ubuntu0.16.04.2
nginx-full 1.10.0-0ubuntu0.16.04.2
nginx-light 1.10.0-0ubuntu0.16.04.2
Ubuntu 15.10:
nginx-core 1.9.3-1ubuntu1.2
nginx-extras 1.9.3-1ubuntu1.2
nginx-full 1.9.3-1ubuntu1.2
nginx-light 1.9.3-1ubuntu1.2
Ubuntu 14.04 LTS:
nginx-core 1.4.6-1ubuntu3.5
nginx-extras 1.4.6-1ubuntu3.5
nginx-full 1.4.6-1ubuntu3.5
nginx-light 1.4.6-1ubuntu3.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2991-1
CVE-2016-4450
Package Information:
https://launchpad.net/ubuntu/+source/ng ... u0.16.04.2
https://launchpad.net/ubuntu/+source/ng ... 1ubuntu1.2
https://launchpad.net/ubuntu/+source/ng ... 1ubuntu3.5
I have these packet installed:deb http://nginx.org/packages/ubuntu/ trusty nginx
My distrubution seems not to be updated, what can I do please?dpkg -l *nginx* | grep ii
ii nginx 1.10.1-1~trusty amd64 high performance web server
ii vesta-nginx 0.9.8-15 amd64 Vesta Ngin
Last edited by floown on Mon Jun 06, 2016 9:54 pm, edited 1 time in total.
Re: Nginx security on Ubuntu Server
Have you tried updating today? Mine has been patched when I updated.
Re: Nginx security on Ubuntu Server
Hello SS88
Yes the server seems to be up-to-date
Here is : cat /etc/apt/sources.list
cat /etc/apt/sources.list.d/vesta.list
And like a said :
cat /etc/apt/sources.list.d/vesta.list
Do you have the same deposit? What wrong on my server?
Thx
Yes the server seems to be up-to-date
Here is : cat /etc/apt/sources.list
Code: Select all
# deb http://mirrors.online.net/ubuntu trusty main restricted
# deb http://mirrors.online.net/ubuntu trusty-updates main restricted
# deb http://security.ubuntu.com/ubuntu trusty-security main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://fr.archive.ubuntu.com/ubuntu/ trusty main restricted
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://fr.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb http://fr.archive.ubuntu.com/ubuntu/ trusty universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security universe multiverse
deb http://fr.archive.ubuntu.com/ubuntu/ trusty-updates universe multiverse
deb http://fr.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
## Commercial
deb http://archive.canonical.com/ubuntu trusty partner
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu trusty partner
# deb-src http://archive.canonical.com/ubuntu trusty partner
## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu trusty main
# deb-src http://extras.ubuntu.com/ubuntu trusty main
#deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu trusty mainCode: Select all
deb http://apt.vestacp.com/trusty/ trusty vestacat /etc/apt/sources.list.d/vesta.list
Code: Select all
deb http://nginx.org/packages/ubuntu/ trusty nginxThx
Re: Nginx security on Ubuntu Server
Hey. Sorry think I misread.
You are on about package vesta-nginx 0.9.8-15? This is package provided by VestaCP.
You have the most up-to-date version of nginx nginx 1.10.1 (Stable) so none of your websites will be affected
You are on about package vesta-nginx 0.9.8-15? This is package provided by VestaCP.
You have the most up-to-date version of nginx nginx 1.10.1 (Stable) so none of your websites will be affected
Re: Nginx security on Ubuntu Server
Oh, ok, so all is fine.
Thx et have a nice day / night ;)
Thx et have a nice day / night ;)
Re: Nginx security on Ubuntu Server
Sure is! You too.floown wrote:Oh, ok, so all is fine.
Thx et have a nice day / night ;)
Ref:
The problem affects nginx 1.3.9 - 1.11.0.
The problem is fixed in nginx 1.11.1, 1.10.1.
Re: [Solved] Nginx security on Ubuntu Server
Sorry again. Do you have the kindness to said me where come this quote?
Thx
Thx
Re: [Solved] Nginx security on Ubuntu Server
Ok I have understand the order the version are!
Re: [Solved] Nginx security on Ubuntu Server
https://bugs.launchpad.net/ubuntu/%2Bso ... ug/1587577floown wrote:Sorry again. Do you have the kindness to said me where come this quote?
Thx
:)