Concrete issue: The Oneiric nginx package is at version 1.0.5-1, released in July 2011 according to the changelog.
The recent memory-disclosure vulnerability (advisory page, CVE-2012-1180, DSA-2434-1) isn't fixed in 1.0.5-1. If I'm not misreading the Ubuntu CVE page, all Ubuntu versions seem to ship a vulnerable nginx.
Is this true?
If so: I thought there was a security team at Canonical that's actively working on issues like this, so I expected to get a security update within a short timeframe (hours or days) through
apt-get update
.Is this expectation -- that keeping my packages up-to-date is enough to stop my server from having known vulnerabilities -- generally wrong?
If so: What should I do to keep it secure? Reading the Ubuntu security notices wouldn't have helped in this case, as the nginx vulnerability was never posted there.