Discussion:
Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
(too old to reply)
Klaus Singvogel
2020-09-15 08:20:01 UTC
Permalink
We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution v3.30.5-1.1 installed along with other packages.
[...]
When can we expect latest versions of Nginx and GNOME Evolution to be available in Debian 10 ?
Which security bugs do you think are in the Debian 10 version of Nginx
v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?

https://metadata.ftp-master.debian.org/changelogs//main/n/nginx/nginx_1.14.2-2+deb10u3_changelog

https://metadata.ftp-master.debian.org/changelogs//main/e/evolution/evolution_3.30.5-1.1_changelog

Please name us the CVE identifiers, which you believe Debian 10 is affected by.

Thanks in advance.

Best regards,
Klaus.
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Reco
2020-09-15 09:40:01 UTC
Permalink
Hi.

Please do not top post.
Hi Klaus,
1.) Pertaining to Nginx there is no CVE-ID, main concern is,
According to nginx download page, (http://nginx.org/en/download.html)
Nginx 1.14.x is no longer supported and will not be getting regular
patches. So, if any security Vulnerabilities arise then system would
be at high risk as the vendor no longer provide updates.
No known CVE = no problem. Unless of course you just happen to know a
private zero-day.
And, as the version of nginx shows, they've fixed some CVEs in past,
trice for the duration of buster.
2.) Pertaining to GNOME Evolution , the CVE-ID is CVE-2020-11879 .
This ID isn't present in the links which you've shared.
Buster's evolution is vulnerable indeed - [1]. Security impact is low,
so it's hardly a surprise it is not fixed yet.

Reco

[1] https://security-tracker.debian.org/tracker/source-package/evolution
Klaus Singvogel
2020-09-15 09:40:01 UTC
Permalink
Hi Revanth,

as you might have found out now, the Debian Security team is backporting
security patches to older versions of OpenSource software, and Debian 10
isn't insecure.

The advantage of backporting is, that you don't have to adapt config files
to latest syntax on an update, nor introduce incompatible libraries to
your system on update.

So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when
the package maintainer doesn't support this version anymore.

I want to thank here the Debian Security team for there excellent job they
did in the past and the future. Thank you.

Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the
proof, but I think this points out to the fact the shipped version isn't
affected.

Best regards,
Klaus.
Hi Klaus,
1.) Pertaining to Nginx there is no CVE-ID, main concern is,
According to nginx download page, (http://nginx.org/en/download.html) Nginx 1.14.x is no longer supported and will not be getting regular patches. So, if any security Vulnerabilities arise then system would be at high risk as the vendor no longer provide updates.
2.) Pertaining to GNOME Evolution , the CVE-ID is CVE-2020-11879 . This ID isn't present in the links which you've shared.
Thanks,
Revanth.
-----Original Message-----
Sent: 15 September 2020 13:32
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution v3.30.5-1.1 installed along with other packages.
[...]
When can we expect latest versions of Nginx and GNOME Evolution to be available in Debian 10 ?
Which security bugs do you think are in the Debian 10 version of Nginx
v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n&e=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20=&t=V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkFPc084Y0NRdz0=&h=1d129af62b6248948c99efacbb1de4f1
https://us-east-2.protection.sophos.com?d=debian.org&u=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1dGlvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c=&e=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20=&t=eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3NtNno3aHRtY25yVT0=&h=1d129af62b6248948c99efacbb1de4f1
Please name us the CVE identifiers, which you believe Debian 10 is affected by.
Thanks in advance.
Best regards,
Klaus.
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
t***@tuxteam.de
2020-09-15 12:50:01 UTC
Permalink
Hi Klaus,
Just needed to re-confirm couple of things here
1. I understand that the NGINX version shipped by default is secured and will be updated with patches should there be some security issues. But my question is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in Debian 10, soon ? If yes, when ?
Debian doesn't change package versions in its stable release
(except exceptions, see Greg's post in this thread).

That's the meaning of "stable". Debian 10, aka Buster is
the current stable version [1]. So the answer is "most
probably not".
2. Please provide some kind of confirmation on CVE-2020-11879
If Vulnerability was already addressed, please point me to some article which confirms the same.
If not addressed, please confirm on when can we expect 3.35.91 or greater version to be available in Debian 10?
Well, you can do that yourself. Enter "CVE-2020-11879 site:debian.org"
into your favourite Internet search engine (which hopefully isn't
Google, but I disgress), you'll be lead to [2]. Follow the links
from there, and you'll get lots of information :-)

Cheers

[1] https://www.debian.org/releases/index.html
[2] https://security-tracker.debian.org/tracker/CVE-2020-11879

- t
Greg Wooledge
2020-09-15 12:50:01 UTC
Permalink
1. I understand that the NGINX version shipped by default is secured and will be updated with patches should there be some security issues. But my question is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in Debian 10, soon ? If yes, when ?
No.

Please read <https://www.debian.org/security/faq>.
Dan Ritter
2020-09-15 13:00:01 UTC
Permalink
Just needed to re-confirm couple of things here
1. I understand that the NGINX version shipped by default is secured and will be updated with patches should there be some security issues. But my question is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in Debian 10, soon ? If yes, when ?
No, never.

Debian creates stable releases. That means that, unless there is
a compelling reason, no new major versions are packaged.
Instead, security patches are applied as necessary.

When Debian 11 is released, most likely in 2021, there will be a new
major version of nginx.

You want to subscribe to the debian-security-announce list, and
at least look at the archives of debian-security.

You should read through the Debian Handbook, too.
https://debian-handbook.info/

-dsr-
Klaus Singvogel
2020-09-15 13:40:01 UTC
Permalink
Hi Revanth,
Hi Klaus,
Just needed to re-confirm couple of things here
1. I understand that the NGINX version shipped by default is secured and will be updated with patches should there be some security issues. But my question is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in Debian 10, soon ? If yes, when ?
As others said, and I explained already: no.

Debian 10's version of a package will never change. No new features, no
loss of features, no new syntax of configurations, no other changes.
2. Please provide some kind of confirmation on CVE-2020-11879
If Vulnerability was already addressed, please point me to some article which confirms the same.
If not addressed, please confirm on when can we expect 3.35.91 or greater version to be available in Debian 10?
No: no new version.

If you're unhappy with that, think about these choices:

- install upcoming Debian 11 (Testing, Bullseye) and live with the changes
of packages and possible errors in the system. Release date unknown.

- install Debian Sid (Unstable) and live with many more changes

- if both are not fullfilling your needs, think about a different
distribution: LFS (Linux from Scratch), or Yocto, or commerical one.

But beware of the security updates. AFAIK both, LFS and Yocto, needs
your effort to keep your machine(s) secure.

Best regards,
Klaus.
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Greg Wooledge
2020-09-15 13:50:02 UTC
Permalink
Post by Klaus Singvogel
No: no new version.
- install upcoming Debian 11 (Testing, Bullseye) and live with the changes
of packages and possible errors in the system. Release date unknown.
- install Debian Sid (Unstable) and live with many more changes
- if both are not fullfilling your needs, think about a different
distribution: LFS (Linux from Scratch), or Yocto, or commerical one.
Another choice would be to run Debian stable, but don't install Debian's
version of nginx. Use upstream's releases, compile them yourself, and
update them yourself whenever you need to (for security reasons or
otherwise).

Personally I'd prefer to let the Debian security team do all that work
for me, but the OP seems to value large numbers for their own sake.
Eduardo M KALINOWSKI
2020-09-15 14:00:01 UTC
Permalink
Post by Klaus Singvogel
No: no new version.
- install upcoming Debian 11 (Testing, Bullseye) and live with the changes
of packages and possible errors in the system. Release date unknown.
- install Debian Sid (Unstable) and live with many more changes
You can also check if there is a newer version in backports (there
doesn't seem to be), and you can request one (but it will depend on some
volunteer's effort to create it, so no guarantees).

But note that there is no offical security support for backports. A
newer version may also get backported, but it might take a while, or it
might not happen.
--
We gave you an atomic bomb, what do you want, mermaids?
-- I. I. Rabi to the Atomic Energy Commission

Eduardo M KALINOWSKI
***@kalinowski.com.br
Greg Wooledge
2020-09-15 11:40:01 UTC
Permalink
1.) Pertaining to Nginx there is no CVE-ID, main concern is,
According to nginx download page, (http://nginx.org/en/download.html) Nginx 1.14.x is no longer supported and will not be getting regular patches. So, if any security Vulnerabilities arise then system would be at high risk as the vendor no longer provide updates.
The Debian security team backports patches to fix security issues
whenever possible.

*If* in the future a vulnerability is discovered which cannot easily be
fixed by a patch backported from a future version of nginx, then the
security team *may* opt to use a newer upstream version of nginx in
the stable release. There is some precedent for this with other packages
such as samba and bind9.
Loading...