Hi,
I'm just a curious bystander and fellow package maintainer, so if anything I say contradicts Jamie or other nginx maintainers, go with them rather than me. :)
Somers-Harris, David | David | OPS wrote:
I have a question regarding the nginx package.
I’ve noticed that there are some known issues with the version of nginx being used in EPEL, which is 1.10 at the moment.
- CVE-2017-7529
- CVE-2016-4450
Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for CVE-2016-4450, according to the advisories page above.
Where can I find the answers to the following questions?
- Are these security advisories considered important enough to be
fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as low and not warranting a fix (presumably in any layered products where Red Hat ships nginx itself). I found that in the following bugzilla entry:
https://bugzilla.redhat.com/CVE-2017-7529
- Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so it would be easy to add to the package. That might be worth doing if/when there is a need for another update. I also noticed that 1.10.3 has been released which contains a few bug fixes:
https://nginx.org/en/CHANGES-1.10
(While I was poking at this, I created a fork of the nginx packaging with the range filter patch applied. That can be found here:
https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7
It's completely untested, other than checking that the patch is applied in the %prep section.)
- Will the package be bumped to a newer upstream version
altogether?
I'm not an nginx user and don't follow it, but if there are incompatible changes in newer releases, then normally EPEL would keep the current version, as long as that is a reasonable option.