Long term security risks of rarely updated nginx

Steve Bennett asked:

We’ve deployed a system at a university using a stack of Postgres, Nginx and Django on (mandated) RHEL. The ITS department is now pressuring us to switch to Apache on order to benefit from regular (and for security updates, immediate) package updates. They argue that the security risks of running a service which we update less frequently are too high. We prefer to keep the stack the same at all deployments.

Is this a real concern, or are they just being paranoid?

My answer:

First, tell the security department to stay out of things they know nothing about.

Second, nginx in EPEL is clearly getting regular updates.

Finally, if you really need to keep up to date on nginx (and I do recommend it) then just use nginx’s own stable repository. It’s always up to date and should make security happy. Or at least less mad.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.