RE: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
Hi Klaus,
Just needed to re-confirm couple of things here
1. I understand that the NGINX version shipped by default is secured and will be updated with patches should there be some security issues. But my question is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in Debian 10, soon ? If yes, when ?
2. Please provide some kind of confirmation on CVE-2020-11879
If Vulnerability was already addressed, please point me to some article which confirms the same.
If not addressed, please confirm on when can we expect 3.35.91 or greater version to be available in Debian 10?
Thanks,
Revanth.
-----Original Message-----
From: Klaus Singvogel <deb-user-ml@singvogel.net>
Sent: 15 September 2020 15:10
To: Suryadevara, Revanth <Revanth.Suryadevara@arcserve.com>
Cc: debian-user@lists.debian.org
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
Hi Revanth,
as you might have found out now, the Debian Security team is backporting security patches to older versions of OpenSource software, and Debian 10 isn't insecure.
The advantage of backporting is, that you don't have to adapt config files to latest syntax on an update, nor introduce incompatible libraries to your system on update.
So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when the package maintainer doesn't support this version anymore.
I want to thank here the Debian Security team for there excellent job they did in the past and the future. Thank you.
Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the proof, but I think this points out to the fact the shipped version isn't affected.
Best regards,
Klaus.
Suryadevara, Revanth wrote:
> Hi Klaus,
>
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, According
> to nginx download page, (https://us-east-2.protection.sophos.com?d=nginx.org&u=aHR0cDovL25naW54Lm9yZy9lbi9kb3dubG9hZC5odG1s&e=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20=&t=QjhjRHpDSVhOY2tZQWxCRzZrQTdxSXRJRklrSko2bEVqbnBFcGhvZGhzZz0=&h=8babb3b80f934e38bc57897e4ca56711) Nginx 1.14.x is no longer supported and will not be getting regular patches. So, if any security Vulnerabilities arise then system would be at high risk as the vendor no longer provide updates.
>
> 2.) Pertaining to GNOME Evolution , the CVE-ID is CVE-2020-11879 . This ID isn't present in the links which you've shared.
>
> Thanks,
> Revanth.
>
> -----Original Message-----
> From: Klaus Singvogel <deb-user-ml@singvogel.net>
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth <Revanth.Suryadevara@arcserve.com>
> Cc: debian-user@lists.debian.org
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME
> Evolution
>
> Suryadevara, Revanth wrote:
> >
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution v3.30.5-1.1 installed along with other packages.
> >
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be available in Debian 10 ?
>
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
>
>
> https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L
> 25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n&e=cmV2YW50aC5zdXJ5YWRldmFy
> YUBhcmNzZXJ2ZS5jb20=&t=V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkF
> Pc084Y0NRdz0=&h=1d129af62b6248948c99efacbb1de4f1
>
>
> https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1d
> Glvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c=&e=cmV2YW50aC5zdXJ5YWRl
> dmFyYUBhcmNzZXJ2ZS5jb20=&t=eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3N
> tNno3aHRtY25yVT0=&h=1d129af62b6248948c99efacbb1de4f1
>
> Please name us the CVE identifiers, which you believe Debian 10 is affected by.
>
> Thanks in advance.
>
> Best regards,
> Klaus.
> --
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D 1994-06-27
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Reply to: