Hi,I'm just a curious bystander and fellow package maintainer, so if anything I say contradicts Jamie or other nginx maintainers, go with them rather than me. :)
Somers-Harris, David | David | OPS wrote:
I have a question regarding the nginx package.I’ve noticed that there are some known issues with the version of nginx being used in EPEL, which is 1.10 at the moment.1. CVE-2017-7529 2. CVE-2016-4450 Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for CVE-2016-4450, according to the advisories page above.
Where can I find the answers to the following questions?1. Are these security advisories considered important enough to be fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as low and not warranting a fix (presumably in any layered products where Red Hat ships nginx itself). I found that in the following bugzilla entry:
https://bugzilla.redhat.com/CVE-2017-7529
2. Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so it would be easy to add to the package. That might be worth doing if/when there is a need for another update. I also noticed that 1.10.3 has been released which contains a few bug fixes:
https://nginx.org/en/CHANGES-1.10(While I was poking at this, I created a fork of the nginx packaging with the range filter patch applied. That can be found here:
https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7It's completely untested, other than checking that the patch is applied in the %prep section.)
3. Will the package be bumped to a newer upstream version altogether?
I'm not an nginx user and don't follow it, but if there are incompatible changes in newer releases, then normally EPEL would keep the current version, as long as that is a reasonable option.
-- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ History, n. An account mostly false, of events mostly unimportant, which are brought about by rulers mostly knaves, and soldiers mostly fools. -- Ambrose Bierce, "The Devil's Dictionary"
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx