[SAC] [abuse #31856] CISA Security issues with OSGEO hosts
via RT
abuse at osuosl.org
Wed Oct 27 21:02:46 PDT 2021
> On Mon Oct 18 15:48:52 2021, lr at pcorp.us wrote:
> > Okay will take a look at these later this week.
> > Weird I thought upgrading nginx on Ubuntu to 1.18 would do the trick.
> > Guess the goal post has moved to 1.20.
>
> Unfortunately yes. I'd assume the packages from Ubuntu include the fix as
> long you update them.
>
> > Osgeo3 is running nginx on debian and though it is an older nginx, it
> > looked like Debian had patched these for lower versions.
> > But I'll upgrade that to latest.
>
> Excellent.
>
> > Osgeo6.osgeo.osuosl.org -- sslabs says the cert is fine - says A+ for
> > https://osgeo6.osgeo.osuosl.org You think this is just a false
> > positive because of issues with LetsEncrypt old root cert or is it
> > complaining about a different cert?
>
> Yeah, I think their testing system must be using an outdated ca-cert. I
was
> going to ask that so you can probably ignore it for now.
>
> Any updates on getting these updates in the past week? The report from a
few
> days ago still shows the nginx issue.
>
> Thanks-
>
> --
> Lance Albertson
> Director
> Oregon State University | Open Source Lab
[Regina Obe]
I did upgrade osgeo3 to Debian 11 and nginx 1.18.0
So they are all running nginx 1.18.0 now.
To get the newer nginx 1.20 I'd have to upgrade to Debian 12 (bookworm),
which hasn't come out yet.
For the osgeo7 and osgeo4 -- they are both running Ubuntu 20.04.3 LTS
Which came with nginx 1.18.0
And they are all at the latest patch level. That is the latest LTS for
Ubuntu.
The patch for https://ubuntu.com/security/CVE-2021-23017 doesn't seem to
have been provided upstream yet. I think if I switch repo to the nginx one,
I may be able to switch to the nginx-1.21 but I haven't tried doing that
yet. I'll experiment with that later this week.
Thanks,
Regina
More information about the Sac
mailing list