Does Ubuntu generally post timely security updates?
Concrete issue: The Oneiric nginx package is at version 1.0.5-1, released in July 2011 according to the changelog.
The recent memory-disclosure vulnerability (advisory page, CVE-2012-1180, DSA-2434-1) isn't fixed in 1.0.5-1. If I'm not misreading the Ubuntu CVE page, all Ubuntu versions seem to ship a vulnerable nginx.
-
Is this true?
If so: I thought there was a security team at Canonical that's actively working on issues like this, so I expected to get a security update within a short timeframe (hours or days) through
apt-get update
. Is this expectation -- that keeping my packages up-to-date is enough to stop my server from having known vulnerabilities -- generally wrong?
If so: What should I do to keep it secure? Reading the Ubuntu security notices wouldn't have helped in this case, as the nginx vulnerability was never posted there.
Solution 1:
Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community. See the security team FAQ for more information.
Since nginx is in the Universe component, it does not get updates from the security team. It is up to the community to fix security issues in that package. See here for the exact procedure.
You can use Software Center or the ubuntu-support-status
command line tool to determine which packages are officially supported, and for how long.
Update from the future: Nginx is moving to main so will receive support from the Ubuntu Security Team at that point. If you're unsure whether your version will, just look at apt-cache show nginx
and look for the "Section" tag. When that's in Main, you're getting Canonical support for it.
Solution 2:
The nginx package in ppa for precise is at Version 1.1.17-2 uploaded on 2012-03-19
.
If you need patches for CVEs that are still in candidate and not accepted, you might consider adding ppas.
On this particular package and bug here are some notes from the package bug tracker.
Solution 3:
Packages inside the Ubuntu 'main' repository are actively kept up to date by Canonical. (To be part of the default installation, a package must be inside main.)
However, for packages such as nginx, that are in the "universe" then I would not expect timely security updates. This is because these packages are maintained by volunteers, rather than Canonical. It would not be reasonable to expect Canonical to constantly monitor the tens of thousands of packages that exists in the universe.
Solution 4:
For packages that are on Debian based distributions such as Ubuntu, security patches are back-ported into the current release. Release versions are not updated as that may introduce incompatible features. Instead the security team (or package maintainer) will apply the security patch to the current version an release a patched version.
The version currently deployed may be vulnerable as it is not supported by the Ubuntu Security team. This does not mean that it is vulnerable as the package maintainer may have patched it. Check the
changelog
in the/usr/share/doc/nginx
directory to see if the security patch has been backported. If not the patch may be in progress and available in testing release.You are correct in assuming that keeping your server up to date will significantly reduce the period you are running insecure software. There are packages which can be configured to automatically download and optional install updates. These can also notify which patches were installed, or are ready for installation.
For packages that are not supported by the Security team, you may want to pay attention to any outstanding security issues. Evaluate the risk as not all vulnerabilities are exploitable on all systems. Some may be configuration dependent or require local access. Others may not be that significant without other problems, for example exploiting a race condition to replace a games high scores file.