Vulnerability related Doubts in Nginx

Sadaf_N · March 22, 2016, 1:05pm

Hi

We are running Nginx version 1.8 ( nginx-1.8.1-1.amzn1.ngx.x86_64 ) in
our
servers. So in the Vulnerability Assessment, Nessus gave report that it
is
vulnerable.

Current version :- nginx-1.8.1-1.amzn1.ngx.x86_64

Fix Version ( According to Nessus ) :- nginx-1.8.1-1.26.amzn1

I don’t seem to find the " Fix Version " of Nginx which Nessus
suggested.

Is there any work around for this ?

Is 1.8 the latest stable version which is available or we can move
forward
with higher one ?

Any help will be appreciated!

Zeal_Vora · March 22, 2016, 1:12pm

Hi Zeal,

On 3/22/16 3:05 PM, Zeal Vora wrote:

I don’t seem to find the " Fix Version " of Nginx which Nessus
suggested.

Is there any work around for this ?

Is 1.8 the latest stable version which is available or we can move
forward with higher one ?

Any help will be appreciated!

Does it help?

https://alas.aws.amazon.com/ALAS-2016-655.html

–
Maxim K.

Zeal_Vora · March 22, 2016, 1:14pm

On Tuesday 22 March 2016 17:35:19 Zeal Vora wrote:

I don’t seem to find the " Fix Version " of Nginx which Nessus suggested.

Is there any work around for this ?

Is 1.8 the latest stable version which is available or we can move forward
with higher one ?

Any help will be appreciated!

The CVE-2016-0742 that is referenced in the report is fixed in nginx
1.8.1.

See here for the official information:
http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
http://nginx.org/en/security_advisories.html

wbr, Valentin V. Bartenev

Zeal_Vora · March 22, 2016, 1:17pm

@Maxim :-

Thanks. Actually we compile Nginx so to include additional modules. The
solution mentioned in Amazon page is " yum update nginx " is something
which will not help as we will need the tar.gz / SRPM file for that
version.

@Valentin :-

Thanks, actually we already have 1.8.1 but the reported fix is
in nginx-1.8.1-1.26 for which I can’t find any SRPM / tar.gz file.

On Tue, Mar 22, 2016 at 5:43 PM, Valentin V. Bartenev [email protected]

Zeal_Vora · March 22, 2016, 1:22pm

On 3/22/16 3:17 PM, Zeal Vora wrote:

in nginx-1.8.1-1.26 for which I can’t find any SRPM / tar.gz file.

The nessus report is about the package version. “nginx-1.8.1-1.26”
is something AWS specific, it doesn’t come from nginx.org.

If you built your own package or compiled nginx from the nginx.org
sources you are safe with 1.8.1.

–
Maxim K.