Due to a known nginx vulnerability I need to either patch v1.18 or upgrade to 1.21 on my Jitsi meet server, which runs Ubuntu 20.04. I’m not sure how to. Prior attempts did not work as expected.
Below is how I view my currently installed nginx packages, post install:
root@meet:~# dpkg -l “nginx*” | egrep “^ii”
ii nginx 1.18.0-0ubuntu1.2 all small, powerful, scalable web/proxy server
ii nginx-common 1.18.0-0ubuntu1.2 all small, powerful, scalable web/proxy server - common files
ii nginx-core 1.18.0-0ubuntu1.2 amd64 nginx web/proxy server (standard version)
I think that will end up upgrading other components outside of nginx which I don’t want to do. I think I tried this before and it didn’t work but I’ll give it another attempt and report back.
It doesn’t look like apt update && apt-upgrade will help me out. If I do “app list --upgradable” I don’t see anything regarding nginx. From what I’ve read, the solution to the nginx vulnerability is to upgrade it to 1.21 from 1.18. I don’t see that happening with an apt update/upgrade. I’m surprised nobody else has come across this. If the default jitsi meet install presents a vulnerability in nginx you’d think there’d be more discussion in correcting it or upgrading away from 1.18.
I’m aware you don’t distribute nginx. I’d think other people would have run across the vulnerability and perhaps discussed here. I don’t really see anything in the ubuntu changelog that would be helpful. So it seems there is no fix for it I suppose. It’s definitely a security hole in version 1.18 that is installed with Jitsi meet.
the vulnerability you have been talked about concerns the njs module that allows the use of Javascript in the nginx server itself. This functionality is not used in Jitsi-meet, and it’s not even available in Ubuntu distros. So Ubuntu will not release a fix for a non existent problem.
I use Tenable Nessus Enterprise as a vulnerability scanner and it flags the nginx install on my meet servers. I put more weight behind that then a random poster on the internet.