[SAC] [abuse #31856] CISA Security issues with OSGEO hosts
via RT
abuse at osuosl.org
Thu Oct 28 20:13:49 PDT 2021
> If you've updated to the latest release in Debian 11, you should be good
to go
> from my side. You should see version 1.18.0-6.1 or higher according to
this [1]
> as they tend to back port patches so the versions don't always line up.
>
> [1] https://security-tracker.debian.org/tracker/CVE-2021-23017
>
[Regina Obe]
Okay it shows this for osgeo3 so looks patched
nginx-full/stable,now 1.18.0-6.1 all [installed]
> > For the osgeo7 and osgeo4 -- they are both running Ubuntu 20.04.3 LTS
> > Which came with nginx 1.18.0
> >
> > And they are all at the latest patch level. That is the latest LTS
> > for Ubuntu.
>
> As long as they are up to date then it should be good.
>
> > The patch for https://ubuntu.com/security/CVE-2021-23017 doesn't seem
> > to have been provided upstream yet. I think if I switch repo to the
> > nginx one, I may be able to switch to the nginx-1.21 but I haven't
> > tried doing that yet. I'll experiment with that later this week.
>
> You should see something like the following if you've updated it:
>
> dpkg-query -s nginx | grep Version:
> Version: 1.18.0-0ubuntu1.2
>
> That's the version that's listed as being patched on ubuntu CVE site.
>
> So as far as I can tell, you're good to go and the reporting system is
likely not
> taking the ubuntu patched version into account.
>
Output of
dpkg-query -s nginx | grep Version:
shows this on osgeo7 and osgeo4
Version: 1.18.0-0ubuntu1.2
So yes they look patched. Thanks for the patch info. I missed that
subtlety in the CVE
Thanks,
Regina
More information about the Sac
mailing list