Question

39

Does Ubuntu generally post timely security updates?

rated 0 times [ 39] [ 0] / answers: 1 / hits: 1742 / 2 Years ago, tue, february 1, 2022, 11:50:19

Concrete issue: The Oneiric nginx package is at version 1.0.5-1, released in July 2011 according to the changelog.

The recent memory-disclosure vulnerability (advisory page, CVE-2012-1180, DSA-2434-1) isn't fixed in 1.0.5-1. If I'm not misreading the Ubuntu CVE page, all Ubuntu versions seem to ship a vulnerable nginx.

Is this true?

If so: I thought there was a security team at Canonical that's actively working on issues like this, so I expected to get a security update within a short timeframe (hours or days) through apt-get update.

Is this expectation -- that keeping my packages up-to-date is enough to stop my server from having known vulnerabilities -- generally wrong?

If so: What should I do to keep it secure? Reading the Ubuntu security notices wouldn't have helped in this case, as the nginx vulnerability was never posted there.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ntlesslving

Add To Favorites

Follow

Total Points: 123

Total Questions: 109

Total Answers: 113

Location: South Korea

Member since Fri, Sep 11, 2020

4 Years ago

ntlesslving questions

2 Stuck on reboot after Ubuntu 23.04 install

Mon, Feb 28, 22, 13:55, 2 Years ago

1 I'm getting the message: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" when updating Ubuntu 22.04

Fri, Jul 30, 21, 12:16, 3 Years ago

1 Does Ubuntu force updates like Windows or I can choose if I want to update?

Wed, Sep 1, 21, 08:55, 3 Years ago

1 apt --purge autoremove can't find older kernels

Fri, Jul 8, 22, 01:43, 2 Years ago

1 Ubuntu 22.04 SSH the RSA key isn't working since upgrading from 20.04

Sat, May 6, 23, 10:23, 1 Year ago

View All

answered 2 Years ago ithriv · Accepted Answer

Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community. See the security team FAQ for more information.

Since nginx is in the Universe component, it does not get updates from the security team. It is up to the community to fix security issues in that package. See here for the exact procedure.

You can use Software Center or the ubuntu-support-status command line tool to determine which packages are officially supported, and for how long.

Update from the future: Nginx is moving to main so will receive support from the Ubuntu Security Team at that point. If you're unsure whether your version will, just look at apt-cache show nginx and look for the "Section" tag. When that's in Main, you're getting Canonical support for it.