Hello,
I have a question regarding the nginx package. I’ve noticed that there are some known issues with the version of nginx being used in EPEL, which is 1.10 at the moment.
1. CVE-2017-7529 2. CVE-2016-4450
Reference : http://nginx.org/en/security_advisories.html
Where can I find the answers to the following questions?
1. Are these security advisories considered important enough to be fixed by the package maintainer? 2. Will they be backported from newer upstream versions? 3. Will the package be bumped to a newer upstream version altogether? 4. Is there a way I can help with maintaining the nginx package?
Thanks, David
Hi,
I'm just a curious bystander and fellow package maintainer, so if anything I say contradicts Jamie or other nginx maintainers, go with them rather than me. :)
Somers-Harris, David | David | OPS wrote:
I have a question regarding the nginx package.
I’ve noticed that there are some known issues with the version of nginx being used in EPEL, which is 1.10 at the moment.
- CVE-2017-7529
- CVE-2016-4450
Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for CVE-2016-4450, according to the advisories page above.
Where can I find the answers to the following questions?
- Are these security advisories considered important enough to be
fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as low and not warranting a fix (presumably in any layered products where Red Hat ships nginx itself). I found that in the following bugzilla entry:
https://bugzilla.redhat.com/CVE-2017-7529
- Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so it would be easy to add to the package. That might be worth doing if/when there is a need for another update. I also noticed that 1.10.3 has been released which contains a few bug fixes:
https://nginx.org/en/CHANGES-1.10
(While I was poking at this, I created a fork of the nginx packaging with the range filter patch applied. That can be found here:
https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7
It's completely untested, other than checking that the patch is applied in the %prep section.)
- Will the package be bumped to a newer upstream version
altogether?
I'm not an nginx user and don't follow it, but if there are incompatible changes in newer releases, then normally EPEL would keep the current version, as long as that is a reasonable option.
Thanks a lot Todd for the reply!
This is useful info. I had no idea that Red Hat had an nginx product. So I guess that decisions made against that product inform a lot how the EPEL package is patched as well.
Thanks again (
On 2017/09/29 0:33, "Todd Zullinger" <todd.zullinger@gmail.com on behalf of tmz@pobox.com> wrote:
Hi,
I'm just a curious bystander and fellow package maintainer, so if anything I say contradicts Jamie or other nginx maintainers, go with them rather than me. :)
Somers-Harris, David | David | OPS wrote: > I have a question regarding the nginx package. > > I’ve noticed that there are some known issues with the version of > nginx being used in EPEL, which is 1.10 at the moment. > > 1. CVE-2017-7529 > 2. CVE-2016-4450 > > Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for CVE-2016-4450, according to the advisories page above.
> Where can I find the answers to the following questions? > > 1. Are these security advisories considered important enough to be > fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as low and not warranting a fix (presumably in any layered products where Red Hat ships nginx itself). I found that in the following bugzilla entry:
https://bugzilla.redhat.com/CVE-2017-7529
> 2. Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so it would be easy to add to the package. That might be worth doing if/when there is a need for another update. I also noticed that 1.10.3 has been released which contains a few bug fixes:
https://nginx.org/en/CHANGES-1.10
(While I was poking at this, I created a fork of the nginx packaging with the range filter patch applied. That can be found here:
https://src.fedoraproject.org/fork/tmz/rpms/nginx/c/52b9911a?branch=epel7
It's completely untested, other than checking that the patch is applied in the %prep section.)
> 3. Will the package be bumped to a newer upstream version > altogether?
I'm not an nginx user and don't follow it, but if there are incompatible changes in newer releases, then normally EPEL would keep the current version, as long as that is a reasonable option.
-- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ History, n. An account mostly false, of events mostly unimportant, which are brought about by rulers mostly knaves, and soldiers mostly fools. -- Ambrose Bierce, "The Devil's Dictionary"
epel-devel@lists.fedoraproject.org