Thanks a lot Todd for the reply!
This is useful info. I had no idea that Red Hat had an nginx product.
So I guess that decisions made against that product inform a lot how the EPEL package is
patched as well.
Thanks again (
On 2017/09/29 0:33, "Todd Zullinger" <todd.zullinger(a)gmail.com on behalf of
I'm just a curious bystander and fellow package maintainer, so if
anything I say contradicts Jamie or other nginx maintainers, go with
them rather than me. :)
Somers-Harris, David | David | OPS wrote:
I have a question regarding the nginx package.
I’ve noticed that there are some known issues with the version of
nginx being used in EPEL, which is 1.10 at the moment.
Reference : http://nginx.org/en/security_advisories.html
I see 1.10.2 in both EL6 and EL7, which includes the fix for
CVE-2016-4450, according to the advisories page above.
Where can I find the answers to the following questions?
1. Are these security advisories considered important enough to be
fixed by the package maintainer?
In the case of CVE-2017-7529, Red Hat security deemed the impact as
low and not warranting a fix (presumably in any layered products where
Red Hat ships nginx itself). I found that in the following bugzilla
2. Will they be backported from newer upstream versions?
The range filter patch for CVE-2017-7529 applies cleanly to 1.10.2, so
it would be easy to add to the package. That might be worth doing
if/when there is a need for another update. I also noticed that
1.10.3 has been released which contains a few bug fixes:
(While I was poking at this, I created a fork of the nginx packaging
with the range filter patch applied. That can be found here:
It's completely untested, other than checking that the patch is
applied in the %prep section.)
3. Will the package be bumped to a newer upstream version
I'm not an nginx user and don't follow it, but if there are
incompatible changes in newer releases, then normally EPEL would keep
the current version, as long as that is a reasonable option.
History, n. An account mostly false, of events mostly unimportant,
which are brought about by rulers mostly knaves, and soldiers mostly
-- Ambrose Bierce, "The Devil's Dictionary"