Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community. See the security team FAQ for more information.
Since nginx is in the Universe component, it does not get updates from the security team. It is up to the community to fix security issues in that package. See here for the exact procedure.
You can use Software Center or the ubuntu-support-status
command line tool to determine which packages are officially supported, and for how long.
Update from the future: Nginx is moving to main so will receive support from the Ubuntu Security Team at that point. If you're unsure whether your version will, just look at apt-cache show nginx
and look for the "Section" tag. When that's in Main, you're getting Canonical support for it.
What you're looking for are Ubuntu Security Notifications and they are not clearly listed in the repositories. This page is the main Ubuntu Security Notifications listing.
As for individual packages, updates which address security fixes are in their own special repository, the -security
pocket. Using Synaptic, you can switch to the "Origin" view, and see packages in the RELEASE-security
pocket.
All CVEs are also listed in the Ubuntu Security Team's CVE tracker - with your specifically referenced CVE here. In the case of CVE-2014-9295 which you reference here, it has not yet been fixed.
Once an update is available, it will be detected by sudo apt-get update; sudo apt-get upgrade
once it's released in the security repository.
Best Answer
According to the Ubuntu Security Notices, this affects 10.04 and 12.04 among the currently supported versions of Ubuntu.
How can I protect myself?
Upgrade.
Or, specifically:
Check the currently installed version using
apt-cache policy libc6
:2.15-0ubuntu10.10
, or higher.2.11.1-0ubuntu7.20
, or higher.Restart.
libc
is a core package. You should restart to be sure nothing on your system is using the old version.At the least, restart every service running on your system.
What is it?
The team who discovered this vulnerability has published an advisory (posted in the mailing list referred), examining the code involved and case studies. It includes a C program to detect if the system is vulnerable.
Essentially, look-ups of IPv4-style addresses (those involving numbers and dots) can cause this trigger.
This is due to a miscalculation in the size of a buffer needed, where the size is a bit short, allowing a
strcpy
down the line to write past the end of the buffer by a limited amount (4 bytes on 32-bit machines, or 8 bytes on 64-bit machines).An exploit has been written by the team against the Exim mail server, but the code has not been released yet.
The list of services affected include, but is not limited to:
Apparently the test code is available on the University of Chicago website. Therefore you can do:
The final output would be
vulnerable
ornot vulnerable
.