Does Ubuntu generally post timely security updates?
Posted
by
Jo Liss
on Ask Ubuntu
See other posts from Ask Ubuntu
or by Jo Liss
Published on 2012-04-05T17:35:39Z
Indexed on
2012/04/05
17:45 UTC
Read the original article
Hit count: 530
Concrete issue: The Oneiric nginx package is at version 1.0.5-1, released in July 2011 according to the changelog.
The recent memory-disclosure vulnerability (advisory page, CVE-2012-1180, DSA-2434-1) isn't fixed in 1.0.5-1. If I'm not misreading the Ubuntu CVE page, all Ubuntu versions seem to ship a vulnerable nginx.
Is this true?
If so: I though there was a security team at Canonical that's actively working on issues like this, so I expected to get a security update within a short timeframe (hours or days) through
apt-get update
.Is this expectation -- that keeping my packages up-to-date is enough to stop my server from having known vulnerabilities -- generally wrong?
If so: What should I do to keep it secure? Reading the Ubuntu security notices wouldn't have helped in this case, as the nginx vulnerability was never posted there.
© Ask Ubuntu or respective owner