[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

Hi Revanth,

as you might have found out now, the Debian Security team is backporting
security patches to older versions of OpenSource software, and Debian 10
isn't insecure.

The advantage of backporting is, that you don't have to adapt config files
to latest syntax on an update, nor introduce incompatible libraries to
your system on update.

So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when
the package maintainer doesn't support this version anymore.

I want to thank here the Debian Security team for there excellent job they
did in the past and the future. Thank you.

Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the
proof, but I think this points out to the fact the shipped version isn't
affected.

Best regards,
	Klaus.

Suryadevara, Revanth wrote:
> Hi Klaus,
> 	
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html) Nginx 1.14.x is no longer supported and will not be getting regular patches. So, if any security Vulnerabilities arise then system would be at high risk as the vendor no longer provide updates.
> 
> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID isn't present in the links which you've shared.
> 
> Thanks,
> Revanth.
> 
> -----Original Message-----
> From: Klaus Singvogel <deb-user-ml@singvogel.net> 
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth <Revanth.Suryadevara@arcserve.com>
> Cc: debian-user@lists.debian.org
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
> 
> Suryadevara, Revanth wrote:
> > 
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution v3.30.5-1.1 installed along with other packages.
> > 
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be available in Debian 10 ?
> 
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
> 
> 	https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n&e=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20=&t=V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkFPc084Y0NRdz0=&h=1d129af62b6248948c99efacbb1de4f1
> 
> 	https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1dGlvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c=&e=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20=&t=eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3NtNno3aHRtY25yVT0=&h=1d129af62b6248948c99efacbb1de4f1
> 
> Please name us the CVE identifiers, which you believe Debian 10 is affected by.
> 
> Thanks in advance.
> 
> Best regards,
> 	Klaus.
> -- 
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D  1994-06-27

-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27
Reply to: