[SAC] [abuse #31856] CISA Security issues with OSGEO hosts
Lance Albertson via RT
abuse at osuosl.org
Thu Oct 28 08:44:21 PDT 2021
> [Regina Obe]
> I did upgrade osgeo3 to Debian 11 and nginx 1.18.0 So they are all running
> nginx 1.18.0 now.
>
> To get the newer nginx 1.20 I'd have to upgrade to Debian 12 (bookworm), which
> hasn't come out yet.
If you've updated to the latest release in Debian 11, you should be good to go
from my side. You should see version 1.18.0-6.1 or higher according to this [1]
as they tend to back port patches so the versions don't always line up.
[1] https://security-tracker.debian.org/tracker/CVE-2021-23017
> For the osgeo7 and osgeo4 -- they are both running Ubuntu 20.04.3 LTS Which
> came with nginx 1.18.0
>
> And they are all at the latest patch level. That is the latest LTS for
> Ubuntu.
As long as they are up to date then it should be good.
> The patch for https://ubuntu.com/security/CVE-2021-23017 doesn't seem to have
> been provided upstream yet. I think if I switch repo to the nginx one, I may
> be able to switch to the nginx-1.21 but I haven't tried doing that yet. I'll
> experiment with that later this week.
You should see something like the following if you've updated it:
dpkg-query -s nginx | grep Version:
Version: 1.18.0-0ubuntu1.2
That's the version that's listed as being patched on ubuntu CVE site.
So as far as I can tell, you're good to go and the reporting system is likely
not taking the ubuntu patched version into account.
Thanks for looking into this!
--
Lance Albertson
Director
Oregon State University | Open Source Lab
More information about the Sac
mailing list