Hello, please excuse what is probably a really dumb question, but how do I update the version of nginx (1.18.0) on my locally installed snap store proxy? I see latest version is 1.24, and the installed version with the snap-store-proxy (v1.18.0) is giving me a security headache on my network due to a ‘high’ Nessus scanner finding of: 1-Byte Memory Overwrite.
Unfortunately on our network we cannot have any ‘critical’ or ‘high’ issues, so this is causing me some concern.
I tried manually updating the version of nginx, but then had snap-store-proxy status issues, and the scanner still found the older versions of nginx under /usr/snap/snap-store-proxy/current/usr/bin/nginx.
You’d normally file a commercial support ticket asking to get an updated version included in the proxy snap. snaps are by design tinker-proof readonly and gpg signed, you can not change their contents yourself, the snap packager has to … note though that Canonical maintained snap packages will pull their security fixes from the ubuntu archive … the current store-proxy package uses the 20.04 archive and there seem to be no open security issues for nginx here:
(the full url should be https://ubuntu.com/security/cves?q=&package=nginx&priority=&version=focal&status= but discourse does not like the & in it and cuts it off, please copy/paste)
And this is the referenced CVE on the Ubuntu Security page:
For reference, we’ve installed the snap-store-proxy onto an Ubuntu 22.04 (fully patched) VM.
The CVSS 3.0 base score is 7.7 for this issue, which means our network would immediately fail a UK based ‘CyberEssentials Plus’ audit - hence my concerns. We only allow very limited access to the Internet, especially as the majority of linux machines are for the devs and we are supposed to be a ‘secure’ network.
well, the snap includes 1.18.0-0ubuntu1.2 so the version is safe and includes a fix for said CVE …
note that it does not matter at all what your host VM is, snaps run on top of their (readonly) base snap inside their confinement, the proxy uses a base of core20 which means all binaries involved come from the 20.04 archive.
if nessus does not take the security patch level of binaries into account and simply just looks at the major version instead, this is a bug in nessus they should fix.
Sorry - I’m not understanding: the version with snap store proxy is v1.18, the vulnerable versions are 0.6.18 - 1.20.0, but 1.18 (below 1.20.1) included the fix? If I run a ‘nginx -v’ it gives:
nginx version: nginx/1.18.0 (Ubuntu) - so this version is ‘fixed’? If so, I will try and raise this as an issue with Tenable.
the fix was applied to the package version 1.18.0-0ubuntu1.2 in 20.04 and to 1.18.0-6ubuntu9 in 22.04, as you can see the snap actually ships 1.18.0-6ubuntu14.3
in general ubuntu does not update versions in stable releases but cherry-picks security fixes into the existing packages for a release (to prevent introducing any new bugs and to be able to guarantee greater stability) which means you will never see the major version being updated, but the package version.
a proper security scanner should take this into account…
(BTW: i was wrong, the snap already uses a core22 base (i.e. the 22.04 archive) my check was running against locally cached snap data, but that is indeed not relevant for the topic itself)
