Re: nginx package question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks a lot Todd for the reply!

This is useful info. I had no idea that Red Hat had an nginx product.
So I guess that decisions made against that product inform a lot how the EPEL package is patched as well.

Thanks again (

On 2017/09/29 0:33, "Todd Zullinger" <todd.zullinger@xxxxxxxxx on behalf of tmz@xxxxxxxxx> wrote:

    Hi,
    
    I'm just a curious bystander and fellow package maintainer, so if 
    anything I say contradicts Jamie or other nginx maintainers, go with 
    them rather than me. :)
    
    Somers-Harris, David | David | OPS wrote:
    > I have a question regarding the nginx package.
    >
    > I’ve noticed that there are some known issues with the version of 
    > nginx being used in EPEL, which is 1.10 at the moment.
    >
    >  1.  CVE-2017-7529
    >  2.  CVE-2016-4450
    >
    > Reference : http://nginx.org/en/security_advisories.html
    
    I see 1.10.2 in both EL6 and EL7, which includes the fix for 
    CVE-2016-4450, according to the advisories page above.
    
    > Where can I find the answers to the following questions?
    >
    >  1.  Are these security advisories considered important enough to be 
    >  fixed by the package maintainer?
    
    In the case of CVE-2017-7529, Red Hat security deemed the impact as 
    low and not warranting a fix (presumably in any layered products where 
    Red Hat ships nginx itself).  I found that in the following bugzilla 
    entry:
    
        https://bugzilla.redhat.com/CVE-2017-7529
    
    >  2.  Will they be backported from newer upstream versions?
    
    The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so 
    it would be easy to add to the package.  That might be worth doing 
    if/when there is a need for another update.  I also noticed that 
    1.10.3 has been released which contains a few bug fixes:
    
        https://nginx.org/en/CHANGES-1.10
    
    (While I was poking at this, I created a fork of the nginx packaging 
    with the range filter patch applied.  That can be found here:
    
        https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7
    
    It's completely untested, other than checking that the patch is 
    applied in the %prep section.)
    
    >  3.  Will the package be bumped to a newer upstream version 
    >  altogether?
    
    I'm not an nginx user and don't follow it, but if there are 
    incompatible changes in newer releases, then normally EPEL would keep 
    the current version, as long as that is a reasonable option.
    
    -- 
    Todd
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    History, n. An account mostly false, of events mostly unimportant,
    which are brought about by rulers mostly knaves, and soldiers mostly
    fools.
        -- Ambrose Bierce, "The Devil's Dictionary"
    
    

_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux