nginx 1.20.1 稳定版和 1.21.0 主线版已发布。这两个版本均修复了一个高危的安全漏洞——1-byte memory overwrite。此漏洞存在于 nginx 的 DNS 解析模块,并且仅在配置文件中使用”resolver”指令时才会影响 nginx。攻击者可以利用该漏洞进行远程 DDoS 攻击,甚至远程执行。
解决方案
从nginx官网获得apt源的公钥
这里是地址 http://nginx.org/keys/nginx_signing.key,为了方便我也复制一份到这里新建一个文本文件nginx_signing.key,把公钥写入到此文本文件之中
root@iZ0xi3fckpb4cq63wknd2fZ:~#vim nginx_signing.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
Va3l3WuB+rgKjsQ=
=EWWI
-----END PGP PUBLIC KEY BLOCK-----
添加公钥到apt包管理器
root@iZ0xi3fckpb4cq63wknd2fZ:~# apt-key add nginx_signing.key
OK
备份之前的apt源
root@iZ0xi3fckpb4cq63wknd2fZ:~# cp /etc/apt/sources.list /etc/apt/sources.list.bak
查看ubuntu对应的版本代码
此命令的输出会有一行如Codename: xxxx,记住这个版本代码,在下一步会用到。
root@iZ0xi3fckpb4cq63wknd2fZ:~# lsb_release -a
LSB Version: core-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
更新nginx的apt安装源
使用vim打开source.list,在末尾添加两行,记得把下面标红code字样替换成为上面”lsb_release -a”查询结果codename后面的值
root@iZ0xi3fckpb4cq63wknd2fZ:~# vim /etc/apt/sources.list
......
deb http://nginx.org/packages/ubuntu/ code nginx
deb-src http://nginx.org/packages/ubuntu/ code nginx
$apt update
Get:1 http://nginx.org/packages/ubuntu focal InRelease [3,584 B]
Hit:2 http://us2.mirrors.cloud.aliyuncs.com/ubuntu focal InRelease
Get:3 http://nginx.org/packages/ubuntu focal/nginx Sources [9,696 B]
Get:4 http://nginx.org/packages/ubuntu focal/nginx amd64 Packages [15.4 kB]
Hit:5 http://us2.mirrors.cloud.aliyuncs.com/ubuntu focal-updates InRelease
Hit:6 http://us2.mirrors.cloud.aliyuncs.com/ubuntu focal-backports InRelease
Hit:7 http://us2.mirrors.cloud.aliyuncs.com/ubuntu focal-security InRelease
Fetched 28.7 kB in 2s (12.0 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
N: Skipping acquire of configured file 'nginx/binary-i386/Packages' as repository 'http://nginx.org/packages/ubuntu focal InRelease' doesn't support architecture 'i386'
在更新apt安装源的时候可能会遇到上面的错误,这个时候我们只需要将原来的
deb http://nginx.org/packages/ubuntu/ focal nginx
deb-src http://nginx.org/packages/ubuntu/ focal nginx
更改为
deb [arch=amd64] http://nginx.org/packages/ubuntu/ focal nginx
deb-src http://nginx.org/packages/ubuntu/ focal nginx
再重新执行apt update即可。
重新安装并重新启动nginx服务
$ apt install nginx
$ nginx -s reload
查询nginx版本
$ nginx -v
nginx version: nginx/1.20.2