Vulnerable and out of date NGINX version
I was contacted by one of my client, since they found out that NGINX version for ISPManager 6 in Almalinux is out date, way out of date. It also contains Vulnerability in which make them switch to different provider than me since they don't want to gamble anything with out of date version of this stack.
Is there really no plan for this? Since this is the main feature of Web Hosting and our backbone for the services we provide.
For your information, the NGINX version used in ISPManager is 1.14.1 while the latest one is on 1.25.1. All other competitor have been using 1.25.1 since Last month except Plesk which used 1.20 Which is still much more newer than the one used by ISPManager.
If you want, you can try check your website hosted in ISPManager 6 Lite, Pro or Host in AlmaLinux 8.5. with Sucuri SiteCheck or Pentest-tools.com
22.07.2023 19:09
Thank you for your post. We understand your concern. But the point is that ispmanager uses builds from the OS vendor's repository. And the OS vendor is responsible for security updates of its builds. Note, that they cover the most serious vulnerabilities with their updates.
We are planning to start delivering our own actual nginx builds in the nearest future, where we will close all current vulnerabilities.
26.07.2023 10:28
Any update on this feature is highly appreciated. We got flagged also by some pen-testing team recently due to this which is bad.
02.05.2024 00:58
This feature has been released in 6.107 version:
For the installation of nginx, the ispmanager repositories are used now. This allows the latest stable version of nginx to be installed when installing ispmanager, regardless of which version is shipped with the OS. When upgrading ispmanager to this release, nginx will not be upgraded automatically. A special script has been prepared to update nginx manually. (ISP6-1302)
10.10.2024 10:30