Ubuntu 16.04 LTS nginx version end of life?

Asked by hanzz on 2018-01-10

Hi there,
an automated security check of our servers showed a potential vulnerability:

 Versions prior to nginx-1.13.5 and nginx-1.12.1 are no longer supported.

I checked our machine running Ubuntu 16.04 LTS latest release with all patches/updates installed, nginx version is:

nginx version: nginx/1.10.3 (Ubuntu)

Is it true that the newest Ubuntu LTS version delivers and EOL nginx http server ?

Hans

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu nginx Edit question
Assignee:
Thomas Ward Edit question
Solved by:
hanzz
Solved:
2018-01-12
Last query:
2018-01-12
Last reply:
2018-01-10
Thomas Ward (teward) said : #1

Your security checker is solely basing it on the version number that NGINX upstream specifies.

Many of the security patches released for security issues are able to be set up properly by both myself or the Ubuntu SEcurity Team to patch vulnerabilities in the NGINX versions, EOL or otherwise by the upstream nginx developers.

To short-answer your question, "Yes, it's EOL, but only in that it's not actively developed, and we still backport the security patches into the software regularly".

If you *need* newer software to get your scanners to stop complaining (you COULD just suppress the errors), you can use https://launchpad.net/~nginx/+archive/ubuntu/stable (for stable branch tracking) or https://launchpad.net/~nginx/+archive/ubuntu/development (for mainline branch tracking) for the newer software versions. This is maintained by myself, not the Ubuntu Security Team, but is usually kept 'updated' (however, this is not currently the case because of issues with the Launchpad build farm which have prevented the latest builds to run yet)

Thomas Ward (teward) said : #2

You may also find this helpful to understand how Ubuntu releases handle 'versions' of software: https://askubuntu.com/questions/151283/why-dont-the-ubuntu-repositories-have-the-latest-versions-of-software

hanzz (hans-prueller) said : #3

Hi Thomas,

thank you for your answer. The "problem" is, that we are running services on some Ubuntu servers for our customers. They did Qualys-checks against that server(s) and the Qualys report stated this as "potential" SEVERITY=5 vulnerability.

I can try to forward your answer to our customer and hope they are happy, but if not - i'd need something "official". Would that be available?

Probably it could also be forwarded to Qualys (by Canonical) that the current Ubuntu-based nginx 1.10 is not EOL from that point of view so they drop it from their reports ?

regards,
Hans

https://nginx.org/en/linux_packages.html#stable

If you run:

cd /tmp
wget https://nginx.org/keys/nginx_signing.key
sudo apt-key add ./nginx_signing.key
sudo vi /etc/apt/sources.list.d/nginx.list

(Use a different editor if you like). Add the below 2 lines:

deb http://nginx.org/packages/ubuntu/ xenial nginx
deb-src http://nginx.org/packages/ubuntu/ xenial nginx

Save the new file and run:

sudo apt-get update
sudo apt-get install nginx

This will update the software for you

Thomas Ward (teward) said : #5

However, it is not a drop-in replacement, that actionparsnip gives, for the Ubuntu-esque packaging. Considering that NGINX upstream does not ascribe to the idea of a sites-enabled directory, configuration is a bit more tricky if you aren't fluent in the NGINX configuration file.

Doable, yes, but not nicely, actionparsnip.

As for telling Qualys they're wrong, they can't base their detection signatures *solely* on whether it's supported in a given release or not. It's not wrong - 1.10.x is EOL upstream - but it's still supported here actively by the Ubuntu SEcurity Team and myself until 16.04 goes End of Life in 2021.

hanzz (hans-prueller) said : #6

Hi Thomas,

thank you for your answer. I am happy with that and will forward your last paragraph saying:

"As for telling Qualys they're wrong, they can't base their detection signatures *solely* on whether it's supported in a given release or not. It's not wrong - 1.10.x is EOL upstream - but it's still supported here actively by the Ubuntu SEcurity Team and myself until 16.04 goes End of Life in 2021."

to our customer that performed the Qualys check(s). I hope they will accept that and we can just suppress the finding(s).