All of these cve issues are resolved in nginx 1.18, and in the image build (in the awx project) I did notice that awx is just doing an dnf -y install nginx, so are these extra ‘mod’ nginx packages just installed by default?
I guess the real answer is, is there some specific reason why awx continues to stay on nginx 1.14 with the known cve’s, and not use nginx 1.18. I’m testing this on my own, but was just curious if anyone had looked at this.
That is because 1.14 is the latest version available in the repository. If you run dnf search nginx --showduplicates you would be able to see the available versions to choose from. By default it installs the latest version available in the repos. Thanks for the heads up about the vulnerability. In order to get the latest version of a higher version than 1.14, i believe we can do this using nginx repo: Install | NGINX. Can you please let me also know about your findings post using nginx repo.
Was there any further work or result from this investigation? Is there any plans to upgrade the nginx inside awx containers to a version greater than 1.14?
So It turns out the 1.14 is NOT the latest version in the repository, its simply the one that is enabled. So, here are the steps that I took in the Dockerfile. Essentially you can make your own dockerfile with the first line “FROM” being the public image. These steps added to it, remove nginx and replace it with 1.20, which squashes about 30 cves.