As of right now Debian 9 (stretch) installs nginx version 1.10.3 which is vulnerable to CVE-2017-7529:
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
I'm concerned for the safety of my users' data, so I'd like to upgrade to the latest version that's no longer affected by this issue.
Best Answer
There are multiple ways to obtain nginx 1.13.3 and above. You can compile it yourself, use the stretch-backports repository, or you can add nginx's own apt repository. In this answer I will be walking you through the last one as it's probably the easiest to do out of all three.
nginx's website has a dedicated page on how to set up their repository, but there's more to it, especially if you want to avoid this specific vulnerability as of right now. The
stable
branch will install 1.12.0 which is still vulnerable (it was patched in 1.12.1+ and 1.13.3+), so you will need to usemainline
, which will install 1.13.5.In the best case scenario switching the nginx version should be as simple as running a few commands and you'll be done in 2-3 minutes with minimal downtime. To be able to get back up and running ASAP, let's start with preparing for the install. First, you need to add the repository to your apt configuration, add the signing key, and update the package list:
Next, run the following command:
This will effectively uninstall nginx from the system, but will preserve your configuration files, save for a systemd service file which is easy to restore.
Next install nginx from the new repository:
Be aware that this will ask you if you want to replace certain configuration files, like this:
Make sure you don't enter
Y
, just press Enter or enterN
each time you're prompted to avoid losing your current configuration.If you accidentally overwrote your
nginx.conf
you'll - at the very least - need to change the last line in the file frominclude /etc/nginx/conf.d/*.conf;
toinclude /etc/nginx/sites-enabled/*;
to restore the previous inclusion behavior.You can verify the newly installed version:
Finally, you will notice that trying to run
service nginx start
now fails with the following message:This is because removing
nginx-common
also wiped/lib/systemd/system/nginx.service
which was previously used by systemd to manage nginx. To restore this file, simply create it using the command below:Finally, run
systemctl unmask nginx
followed bysystemctl enable nginx
, and now you should be able to manage the service just like before, with all your previous settings intact.