Is my nginx-light package still being updated for Ubuntu Server 18.04.3?

Question

Probably a noob question as I only 'got into Linux' few months ago. For whatever reason I decided to check if there are any nginx vulnerabilities and I found CVE-2018-16845, which states that "nginx before versions 1.15.6, 1.14.1 has a vulnerability...".

I have my Ubuntu server set to auto-update so I decided to check what version of nginx-light am I running.

myself@server:~$ nginx -v
nginx version: nginx/1.14.0 (Ubuntu)
myself@server:~$ uname -a
Linux server 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
myself@server:~$ sudo apt update
Hit:1 http://as-repository.openvpn.net/as/debian bionic InRelease
Hit:2 http://gb.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:4 http://gb.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://gb.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://gb.archive.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
myself@server:~$

And this is where I'm getting lost. According to nginx website, latest version is 1.17.5, or 1.14.2 for 1.14 branch. Does it mean Ubuntu repository has outdated vulnerable version, or is there something more to this puzzle that I am missing?

mikewhatever · Accepted Answer · 2020-04-29T10:36:01.403

3

You can check if the patch was applied by looking at changelog:

apt-get changelog nginx

...
nginx (1.14.0-0ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: excessive memory consumption in HTTP/2 implementation
    - debian/patches/CVE-2018-16843.patch: add flood detection in
      src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2018-16843
  * SECURITY UPDATE: excessive CPU usage in HTTP/2 implementation
    - debian/patches/CVE-2018-16844.patch: limit the number of idle state
      switches in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2018-16844
  * SECURITY UPDATE: infinite loop in ngx_http_mp4_module
    - debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
      src/http/modules/ngx_http_mp4_module.c.
    - CVE-2018-16845

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 06 Nov 2018 13:54:15 -0500

Apparently, CVE-2018-16845 was patched on Nov 6 2018.

edited Apr 29 '20 at 10:36

answered Oct 26 '19 at 17:52

mikewhatever

32,638

Thank you. This confirms I'm safe, but leads to another question. Why is it patched for me at version 1.14.0, while nginx website claims I need to be at least 1.14.1? – ProTofik Oct 26 '19 at 18:20
This is the way most linux distros do things. Why? Because they chose to do it this way. You may want to review this question for more info. – mikewhatever Oct 26 '19 at 18:24
Answer to linked question perfectly answers all my questions. Thank you. – ProTofik Oct 26 '19 at 18:38

Is my nginx-light package still being updated for Ubuntu Server 18.04.3?

1 Answers1