[Package Request] - nginx 1.26

[daniejstriata]

What package is missing from Amazon Linux 2023? Please describe and include package name. niginx 1.26 Is this an update to existing package or new package request? update from 1.24 Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify. N/A Any additional information you'd like to include. (use-cases, etc) I understand that AL2023 is Enterprise Linux but could nginx 1.26 be added?

[MayuraRam]

This upgrade is needed as it is being flagged by security scanners. The sooner it can be updated the better!

[maanisim]

I could confirm the same behaviour on my end on AL2023

sh-5.2$ /usr/sbin/nginx -v
nginx version: nginx/1.24.0
sh-5.2$ nginx -v
nginx version: nginx/1.24.0

I can see that Nginx is still being actively updated with security patches until 2028-03-15 [1] as such the security of Nginx 1.24 should not be a concern.

You can find the same information with regards to the security patches provided by AWS here [2]:

Q: Why does a security scanner report an unfixed CVE in an Amazon Linux package when an Amazon Linux Security Advisory claims the CVE to be fixed in that version?

A: Amazon Linux, like most Linux distributions, routinely backports security fixes to stable package versions vended in its repositories. When these packages are updated with a backport, the Amazon Linux security bulletin for the particular issue will list the specific package version(s) in which the issue is fixed for Amazon Linux. Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version. Customers can refer to Amazon Linux Security Center (ALAS) for updates regarding security issues and fixes.

References: [1] https://docs.aws.amazon.com/linux/al2023/release-notes/support-info-by-support-statement.html#support-info-by-support-statement-eol_nginx [2] https://aws.amazon.com/linux/amazon-linux-2023/faqs/