Does Ubuntu generally post timely security updates?

Posted by Jo Liss on Ask Ubuntu See other posts from Ask Ubuntu or by Jo Liss
Published on 2012-04-05T17:35:39Z Indexed on 2012/04/05 17:45 UTC
Read the original article Hit count: 530

Filed under:
|

Concrete issue: The Oneiric nginx package is at version 1.0.5-1, released in July 2011 according to the changelog.

The recent memory-disclosure vulnerability (advisory page, CVE-2012-1180, DSA-2434-1) isn't fixed in 1.0.5-1. If I'm not misreading the Ubuntu CVE page, all Ubuntu versions seem to ship a vulnerable nginx.

  1. Is this true?

    If so: I though there was a security team at Canonical that's actively working on issues like this, so I expected to get a security update within a short timeframe (hours or days) through apt-get update.

  2. Is this expectation -- that keeping my packages up-to-date is enough to stop my server from having known vulnerabilities -- generally wrong?

  3. If so: What should I do to keep it secure? Reading the Ubuntu security notices wouldn't have helped in this case, as the nginx vulnerability was never posted there.

© Ask Ubuntu or respective owner

Related posts about security

Related posts about nginx