Re: nginx package question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I'm just a curious bystander and fellow package maintainer, so if anything I say contradicts Jamie or other nginx maintainers, go with them rather than me. :) 

Somers-Harris, David | David | OPS wrote:

I have a question regarding the nginx package.
I’ve noticed that there are some known issues with the version of nginx being used in EPEL, which is 1.10 at the moment. 

 1.  CVE-2017-7529
 2.  CVE-2016-4450

Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for CVE-2016-4450, according to the advisories page above. 


Where can I find the answers to the following questions?
1. Are these security advisories considered important enough to be fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as low and not warranting a fix (presumably in any layered products where Red Hat ships nginx itself). I found that in the following bugzilla entry: 

   https://bugzilla.redhat.com/CVE-2017-7529


 2.  Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so it would be easy to add to the package. That might be worth doing if/when there is a need for another update. I also noticed that 1.10.3 has been released which contains a few bug fixes: 

   https://nginx.org/en/CHANGES-1.10
(While I was poking at this, I created a fork of the nginx packaging with the range filter patch applied. That can be found here: 

   https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7
It's completely untested, other than checking that the patch is applied in the %prep section.)
3. Will the package be bumped to a newer upstream version altogether?
I'm not an nginx user and don't follow it, but if there are incompatible changes in newer releases, then normally EPEL would keep the current version, as long as that is a reasonable option. 

--
Todd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
History, n. An account mostly false, of events mostly unimportant,
which are brought about by rulers mostly knaves, and soldiers mostly
fools.
   -- Ambrose Bierce, "The Devil's Dictionary"

Attachment: signature.asc
Description: PGP signature

_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux