Nginx version and OpenSSL vulnerabilities

39 views

Skip to first unread message

James Wettenhall

unread,

Jun 11, 2014, 12:24:12 AM6/11/14

to tardis...@googlegroups.com

Hi,

With the recent discovery of OpenSSL vulnerabilities, I've been reviewing the versions of Nginx and OpenSSL / libssl used on our MyTardis server.

I'm using Ubuntu 12.04.4 (Precise), and our Nginx was installed by this Chef recipe: https://github.com/mytardis/mytardis-chef/blob/master/site-cookbooks/mytardis/recipes/nginx.rb

The Chef recipe installed:

/etc/apt/sources.list.d/nginx-stable-lucid.list

but not

/etc/apt/sources.list.d/nginx-stable-precise.list

Is there any reason why MyTardis needs to use Nginx's Lucid package on Precise?

Running "ldd /usr/sbin/nginx | grep ssl" shows that our Nginx is linking against the libssl 0.9.8 shared library (quite an old version of libssl). As a result of this, I had to jump through an extra hoop to get this libssl library patched for the latest OpenSSL vulnerability. I installed Ubuntu's Lucid .deb package for libssl 0.9.8 to patch the vulnerability, because the Precise .deb package for libssl 0.9.8 hasn't yet been patched:

http://packages.ubuntu.com/precise/libssl0.9.8

http://changelogs.ubuntu.com/changelogs/pool/universe/o/openssl098/openssl098_0.9.8o-7ubuntu3.1/changelog

So our MyTardis server is now listed as safe with regard to the recent OpenSSL vulnerabilities, however, I'm thinking maybe it's time to upgrade to an Nginx package which uses a more recent version of libssl, e.g. 1.0.1?

If anyone else has faced similar issues, can you comment on whether it's OK to replace the Chef-installed "/etc/apt/sources.list.d/nginx-stable-lucid.list" with "/etc/apt/sources.list.d/nginx-stable-precise.list" ?

Thanks,

James

Stephen Crawley

unread,

Jun 13, 2014, 1:39:06 AM6/13/14

to tardis...@googlegroups.com

I don't know of any reason why you shouldn't use use an Nginx package that is appropriate to your actual distro.

The Nginx project site has some sketchy info about binary builds, but if you dig around on the site where they are made available, there are up-to-date packages for a number of Ubuntu releases. I imagine that they have dependencies that are appropriate to the release.

Having said that, the real solution may be to switch to using the Opscode Community cookbook for installing and configuring Nginx.

http://community.opscode.com/cookbooks/nginx

I'm looking at using the Nginx cookbook in another context (Omero), and if it looks good I will try to retrofit it into the Nectar-Cookbooks version of the MyTardis cookbook.

--
You received this message because you are subscribed to the Google Groups "tardis-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tardis-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.