On Jan 29, 2016 14:52, "Jamie Nguyen" <j@jamielinux.com> wrote:
>
> Hi,
>
> A few days ago, three CVEs for Nginx and were fixed in 1.8.1. Upstream
> only maintain 1.8.x and above, so they didn't release any fixes for
> older versions of Nginx. I was able to backport the relevant commits to
> Nginx 1.6.x on EL7.
>

Thank-you for your request. I think that this is a good candidate for a break in all three channels. I will try to get enough EPSco people to look at this and give feedback while we are at FOSDEM. Hope to have a +1 for you soon

> Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but
> backporting the patches reliably without creating new CVEs is beyond my
> expertise. Nginx 0.8.x on EL5 is prehistoric.
>
> This leaves the package in a bit of a pickle. Leaving things as they are
> would leave web servers vulnerable. On the other hand, updating Nginx to
> 1.8.x on EL5/6/7 will inevitably break something for someone (eg, via
> yum-cron). I had a small discussion on fedora-devel ML about the
> situation [0], and the consensus was to request for an exception.
>
> My plan:
> 1. Update to 1.8.x on all branches (or to as recent a version as they
> can go without FTBFS)
> 2. Leave them in epel-testing for a prolonged period, probably until the
> next point release of RHEL.
> 3. Include some migration notes with the RPMs, and also post these notes
> to epel-devel/epel-announce.
>
> Sound reasonable?
>
> [0]:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VFCIBCTGIYMVJCCUE3ZQVAARVHUF3YPP/
>
> Kind regards,
> Jamie
> _______________________________________________
> epel-devel mailing list
> epel-devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/epel-devel@lists.fedoraproject.org