这可能是一个新手问题,因为我几个月前才开始接触 Linux。不知出于什么原因,我决定检查是否存在任何 nginx 漏洞,结果我发现CVE-2018-16845其中指出“nginx 1.15.6、1.14.1版本之前存在漏洞...”。
我的 Ubuntu 服务器设置为自动更新,因此我决定检查我正在运行的 nginx-light 版本。
myself@server:~$ nginx -v
nginx version: nginx/1.14.0 (Ubuntu)
myself@server:~$ uname -a
Linux server 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
myself@server:~$ sudo apt update
Hit:1 http://as-repository.openvpn.net/as/debian bionic InRelease
Hit:2 http://gb.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Hit:4 http://gb.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://gb.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://gb.archive.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
myself@server:~$
这就是我迷茫的地方。根据 nginx 网站,最新版本是 1.17.5,或 1.14 分支的 1.14.2。这是否意味着 Ubuntu 存储库的易受攻击版本已过时,或者这个谜题中还有其他我遗漏的东西?
答案1
您可以通过查看变更日志来检查补丁是否已应用:
apt-get changelog nginx
...
nginx (1.14.0-0ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: excessive memory consumption in HTTP/2 implementation
- debian/patches/CVE-2018-16843.patch: add flood detection in
src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2018-16843
* SECURITY UPDATE: excessive CPU usage in HTTP/2 implementation
- debian/patches/CVE-2018-16844.patch: limit the number of idle state
switches in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2018-16844
* SECURITY UPDATE: infinite loop in ngx_http_mp4_module
- debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
src/http/modules/ngx_http_mp4_module.c.
- CVE-2018-16845
-- Marc Deslauriers <[email protected]> Tue, 06 Nov 2018 13:54:15 -0500
显然,CVE-2018-16845 已于 2018 年 11 月 6 日修补。