Thanks a lot Todd for the reply!
This is useful info. I had no idea that Red Hat had an nginx product.
So I guess that decisions made against that product inform a lot how the EPEL package is patched as well.
Thanks again (
On 2017/09/29 0:33, "Todd Zullinger" <todd.zullinger@xxxxxxxxx on behalf of tmz@xxxxxxxxx> wrote:
Hi,
I'm just a curious bystander and fellow package maintainer, so if
anything I say contradicts Jamie or other nginx maintainers, go with
them rather than me. :)
Somers-Harris, David | David | OPS wrote:
> I have a question regarding the nginx package.
>
> I’ve noticed that there are some known issues with the version of
> nginx being used in EPEL, which is 1.10 at the moment.
>
> 1. CVE-2017-7529
> 2. CVE-2016-4450
>
> Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for
CVE-2016-4450, according to the advisories page above.
> Where can I find the answers to the following questions?
>
> 1. Are these security advisories considered important enough to be
> fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as
low and not warranting a fix (presumably in any layered products where
Red Hat ships nginx itself). I found that in the following bugzilla
entry:
https://bugzilla.redhat.com/CVE-2017-7529
> 2. Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so
it would be easy to add to the package. That might be worth doing
if/when there is a need for another update. I also noticed that
1.10.3 has been released which contains a few bug fixes:
https://nginx.org/en/CHANGES-1.10
(While I was poking at this, I created a fork of the nginx packaging
with the range filter patch applied. That can be found here:
https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7
It's completely untested, other than checking that the patch is
applied in the %prep section.)
> 3. Will the package be bumped to a newer upstream version
> altogether?
I'm not an nginx user and don't follow it, but if there are
incompatible changes in newer releases, then normally EPEL would keep
the current version, as long as that is a reasonable option.
--
Todd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
History, n. An account mostly false, of events mostly unimportant,
which are brought about by rulers mostly knaves, and soldiers mostly
fools.
-- Ambrose Bierce, "The Devil's Dictionary"
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
