Thanks a lot Todd for the reply! This is useful info. I had no idea that Red Hat had an nginx product. So I guess that decisions made against that product inform a lot how the EPEL package is patched as well. Thanks again ( On 2017/09/29 0:33, "Todd Zullinger" <todd.zullinger@xxxxxxxxx on behalf of tmz@xxxxxxxxx> wrote: Hi, I'm just a curious bystander and fellow package maintainer, so if anything I say contradicts Jamie or other nginx maintainers, go with them rather than me. :) Somers-Harris, David | David | OPS wrote: > I have a question regarding the nginx package. > > I’ve noticed that there are some known issues with the version of > nginx being used in EPEL, which is 1.10 at the moment. > > 1. CVE-2017-7529 > 2. CVE-2016-4450 > > Reference : http://nginx.org/en/security_advisories.html I see 1.10.2 in both EL6 and EL7, which includes the fix for CVE-2016-4450, according to the advisories page above. > Where can I find the answers to the following questions? > > 1. Are these security advisories considered important enough to be > fixed by the package maintainer? In the case of CVE-2017-7529, Red Hat security deemed the impact as low and not warranting a fix (presumably in any layered products where Red Hat ships nginx itself). I found that in the following bugzilla entry: https://bugzilla.redhat.com/CVE-2017-7529 > 2. Will they be backported from newer upstream versions? The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so it would be easy to add to the package. That might be worth doing if/when there is a need for another update. I also noticed that 1.10.3 has been released which contains a few bug fixes: https://nginx.org/en/CHANGES-1.10 (While I was poking at this, I created a fork of the nginx packaging with the range filter patch applied. That can be found here: https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7 It's completely untested, other than checking that the patch is applied in the %prep section.) > 3. Will the package be bumped to a newer upstream version > altogether? I'm not an nginx user and don't follow it, but if there are incompatible changes in newer releases, then normally EPEL would keep the current version, as long as that is a reasonable option. -- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ History, n. An account mostly false, of events mostly unimportant, which are brought about by rulers mostly knaves, and soldiers mostly fools. -- Ambrose Bierce, "The Devil's Dictionary" _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx