[SOLVED] Nginx 1.14.1 false positive

solved

#1

Hi, all.

We have GVM 7.0.3 and it produces some weird results:

nginx 1.9.5 - 1.15.5 Multiple Vulnerabilities
Installed version: 1.14.1
Fixed version: 1.15.6
CVE: CVE-2018-16843, CVE-2018-16844

But when we look into CVEs it says:

nginx before versions 1.15.6 and 1.14.1 has a vulnerability

There is no 1.14.1 version in the list of affected versions in the CVE description and nginx confirms it.

What should we do here? Report the issue to the developers in some way? Or look for some workaround with overrides?


#2

Find the patch and install it?
I always do so while I am working in IT department.
Or install the newer version of the software with vulnerabilities.


#3

Hi,

thanks for pointing it out. A fix will be provided in revision 12890.


#4

Thanks for good news. But still a couple of questions are here…
What kind of stuff is this «revision»? Should I update some packages or just feeds? How can I know the time is come?


#5

If you’re using the Greenbone Security Assistant, moving to SecInfo -> NVTs will show you the revision as the NVT’s version number. Everytime a new vulnerability test is added to the feed or an existing one got updated, the revision is being increased.

Normally you should get the newest revision after a daily feed update; so once the tests are being moved from developer stage to the public stage (which should be done by tomorrow), the updated test should appear in your GSA and not recognize a vulnerable version anymore.


#6

Oh, that’s great! I’ll check it this weekend.

[UPD: 12/29/2018] It’s correct now.