When will you release binary RPMs for ondemand-nginx that address:
https://nvd.nist.gov/vuln/detail/CVE-2021-23017
http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
?
I realize you did post a source patch some time back.
Thanks,
JP Navarro
Hey JP, thanks for letting us know.
Looking at the annoucement it doenst’ look like if affects us. From the announcement, we don’t use the resolver directive.
The issue only affects nginx if the "resolver" directive is used in
the configuration file. Further, the attack is only possible if an
attacker is able to forge UDP packets from the DNS server.
https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
Though, we should be able to patch it soon anyhow. Looks like RHEL patched 1.18, we’ll have to look into how to apply the patch too.
Patched ondemand-nginx RPMs have been pushed to the 1.8 and 2.0 repos.
ondemand-nginx-1.17.3-8.p6.0.4 - Patch NGINX to address CVE-2021-23017 (OnDemand 1.8) by treydock · Pull Request #108 · OSC/ondemand-packaging · GitHub
ondemand-nginx-1.18.0-2.p6.0.7 - Patch NGINX to address CVE-2021-23017 (OnDemand 2.0) by treydock · Pull Request #107 · OSC/ondemand-packaging · GitHub
To update perform the following operation:
# EL7
yum update ondemand-nginx
# EL8
dnf update ondemand-nginx
In order to ensure all PUNs are using the patched NGINX it’s recommended to force kill all PUNs:
/opt/ood/nginx_stage/sbin/nginx_stage nginx_clean --force