Critical NGINX CVS-2021-23017 patches

When will you release binary RPMs for ondemand-nginx that address:

I realize you did post a source patch some time back.


JP Navarro

Hey JP, thanks for letting us know.

Looking at the annoucement it doenst’ look like if affects us. From the announcement, we don’t use the resolver directive.

The issue only affects nginx if the "resolver" directive is used in
the configuration file.  Further, the attack is only possible if an
attacker is able to forge UDP packets from the DNS server.

Though, we should be able to patch it soon anyhow. Looks like RHEL patched 1.18, we’ll have to look into how to apply the patch too.

Patched ondemand-nginx RPMs have been pushed to the 1.8 and 2.0 repos.

To update perform the following operation:

# EL7
yum update ondemand-nginx

# EL8
dnf update ondemand-nginx

In order to ensure all PUNs are using the patched NGINX it’s recommended to force kill all PUNs:

/opt/ood/nginx_stage/sbin/nginx_stage nginx_clean --force