On Tue, Sep 15, 2020 at 09:13:04AM +0000, Suryadevara, Revanth wrote: > 1.) Pertaining to Nginx there is no CVE-ID, main concern is, > According to nginx download page, (http://nginx.org/en/download.html) Nginx > 1.14.x is no longer supported and will not be getting regular patches. So, if > any security Vulnerabilities arise then system would be at high risk as the > vendor no longer provide updates.
The Debian security team backports patches to fix security issues whenever possible. *If* in the future a vulnerability is discovered which cannot easily be fixed by a patch backported from a future version of nginx, then the security team *may* opt to use a newer upstream version of nginx in the stable release. There is some precedent for this with other packages such as samba and bind9.
