Jitsi meet nginx upgrade

Due to a known nginx vulnerability I need to either patch v1.18 or upgrade to 1.21 on my Jitsi meet server, which runs Ubuntu 20.04. I’m not sure how to. Prior attempts did not work as expected.

Jitsi Meet was installed using these steps: Self-Hosting Guide - Debian/Ubuntu server | Jitsi Meet

Below is how I view my currently installed nginx packages, post install:

root@meet:~# dpkg -l “nginx*” | egrep “^ii”

ii nginx 1.18.0-0ubuntu1.2 all small, powerful, scalable web/proxy server
ii nginx-common 1.18.0-0ubuntu1.2 all small, powerful, scalable web/proxy server - common files
ii nginx-core 1.18.0-0ubuntu1.2 amd64 nginx web/proxy server (standard version)

Typically you get nginx updates from your distribution, in this case Ubuntu. Run apt update && apt-upgrade to get the latest updates.

I think that will end up upgrading other components outside of nginx which I don’t want to do. I think I tried this before and it didn’t work but I’ll give it another attempt and report back.

It doesn’t look like apt update && apt-upgrade will help me out. If I do “app list --upgradable” I don’t see anything regarding nginx. From what I’ve read, the solution to the nginx vulnerability is to upgrade it to 1.21 from 1.18. I don’t see that happening with an apt update/upgrade. I’m surprised nobody else has come across this. If the default jitsi meet install presents a vulnerability in nginx you’d think there’d be more discussion in correcting it or upgrading away from 1.18.

Checkout the changelog, distributions usually backport important security fixes to previous releases: http://changelogs.ubuntu.com/changelogs/pool/main/n/nginx/nginx_1.18.0-0ubuntu1.2/changelog

NO need to be so alarming. Also, we are not istributing nginx, it’s not on us to keep your distro up to date.

3 Likes

I’m aware you don’t distribute nginx. I’d think other people would have run across the vulnerability and perhaps discussed here. I don’t really see anything in the ubuntu changelog that would be helpful. So it seems there is no fix for it I suppose. It’s definitely a security hole in version 1.18 that is installed with Jitsi meet.

the vulnerability you have been talked about concerns the njs module that allows the use of Javascript in the nginx server itself. This functionality is not used in Jitsi-meet, and it’s not even available in Ubuntu distros. So Ubuntu will not release a fix for a non existent problem.

I use Tenable Nessus Enterprise as a vulnerability scanner and it flags the nginx install on my meet servers. I put more weight behind that then a random poster on the internet.

You can probably just use their Ubuntu repo, which should have the latest version: nginx: Linux packages

That worked. It upgraded my nginx to 1.20.1. Thanks for the assistance, it’s appreciated.

1 Like