On 29 January 2016 at 06:51, Jamie Nguyen <j(a)jamielinux.com> wrote:
Hi,
A few days ago, three CVEs for Nginx and were fixed in 1.8.1. Upstream
only maintain 1.8.x and above, so they didn't release any fixes for
older versions of Nginx. I was able to backport the relevant commits to
Nginx 1.6.x on EL7.
Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but
backporting the patches reliably without creating new CVEs is beyond my
expertise. Nginx 0.8.x on EL5 is prehistoric.
This leaves the package in a bit of a pickle. Leaving things as they are
would leave web servers vulnerable. On the other hand, updating Nginx to
1.8.x on EL5/6/7 will inevitably break something for someone (eg, via
yum-cron). I had a small discussion on fedora-devel ML about the
situation [0], and the consensus was to request for an exception.
My plan:
1. Update to 1.8.x on all branches (or to as recent a version as they
can go without FTBFS)
2. Leave them in epel-testing for a prolonged period, probably until the
next point release of RHEL.
3. Include some migration notes with the RPMs, and also post these notes
to epel-devel/epel-announce.
Sound reasonable?
And it looks like I missed sending a final response on this. We talked
about this at the EPEL Steering Committee meeting and approve of this
plan. Please update to 1.8 (if you haven't already) and follow
through.
--
Stephen J Smoogen.