Hi,
A few days ago, three CVEs for Nginx and were fixed in 1.8.1. Upstream
only maintain 1.8.x and above, so they didn't release any fixes for
older versions of Nginx. I was able to backport the relevant commits to
Nginx 1.6.x on EL7.
Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but
backporting the patches reliably without creating new CVEs is beyond my
expertise. Nginx 0.8.x on EL5 is prehistoric.
This leaves the package in a bit of a pickle. Leaving things as they are
would leave web servers vulnerable. On the other hand, updating Nginx to
1.8.x on EL5/6/7 will inevitably break something for someone (eg, via
yum-cron). I had a small discussion on fedora-devel ML about the
situation [0], and the consensus was to request for an exception.
My plan:
1. Update to 1.8.x on all branches (or to as recent a version as they
can go without FTBFS)
2. Leave them in epel-testing for a prolonged period, probably until the
next point release of RHEL.
3. Include some migration notes with the RPMs, and also post these notes
to epel-devel/epel-announce.
Sound reasonable?
[0]:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o...
Kind regards,
Jamie