Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Hello,
I have prepared an upload for nginx that I'd like to upload to sid and
get an exception for jessie.
1.6.2-5 (not yet uploaded) includes an important bug fix (disable sslv3
by default) that is somewhat important to be included in jessie, since
all other (web) servers have already disabled SSLv3.
Apart from that, I have included some minor packaging and documentation
fixes that are nice-to-have. I believe that they are safe enough to be
included if that's ok with the release team.
The relevant changelog entries:
* debian/conf/nginx.conf:
+ Drop SSLv3 protocol (POODLE), and prefer server ciphers
by default. (Closes: #767456)
* debian/copyright:
+ Add copyright for ngx_http_substitutions_filter_module.
* debian/nginx-common.{preinst,postinst,postrm}:
+ Remove /etc/nginx/naxsi-ui.conf conffile. (Closes: #768233)
* debian/README.Debian:
+ Add a list of important changes since wheezy.
I am also attaching a debdiff from testing. The changes are also pushed to
the for_jessie branch in our collab-maint repo:
http://anonscm.debian.org/cgit/collab-maint/nginx.git/log/?h=for_jessie
Please inform me if those changes are approved by the release team or if I
have to drop some of the fixes.
Thanks in advance,
chris
diff -Nru nginx-1.6.2/debian/changelog nginx-1.6.2/debian/changelog
--- nginx-1.6.2/debian/changelog 2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/changelog 2014-11-30 11:05:49.000000000 +0200
@@ -1,3 +1,18 @@
+nginx (1.6.2-5) unstable; urgency=medium
+
+ [ Christos Trochalakis ]
+ * debian/conf/nginx.conf:
+ + Drop SSLv3 protocol (POODLE), and prefer server ciphers
+ by default. (Closes: #767456)
+ * debian/copyright:
+ + Add copyright for ngx_http_substitutions_filter_module.
+ * debian/nginx-common.{preinst,postinst,postrm}:
+ + Remove /etc/nginx/naxsi-ui.conf conffile. (Closes: #768233)
+ * debian/README.Debian:
+ + Add a list of important changes since wheezy.
+
+ -- Christos Trochalakis <yati...@ideopolis.gr> Sun, 30 Nov 2014 10:39:55
+0200
+
nginx (1.6.2-4) unstable; urgency=medium
[ Christos Trochalakis ]
diff -Nru nginx-1.6.2/debian/conf/nginx.conf nginx-1.6.2/debian/conf/nginx.conf
--- nginx-1.6.2/debian/conf/nginx.conf 2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/conf/nginx.conf 2014-11-30 11:05:49.000000000 +0200
@@ -27,6 +27,13 @@
default_type application/octet-stream;
##
+ # SSL Settings
+ ##
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ ssl_prefer_server_ciphers on;
+
+ ##
# Logging Settings
##
diff -Nru nginx-1.6.2/debian/conf/sites-available/default
nginx-1.6.2/debian/conf/sites-available/default
--- nginx-1.6.2/debian/conf/sites-available/default 2014-10-19
08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/conf/sites-available/default 2014-11-30
11:05:49.000000000 +0200
@@ -24,11 +24,8 @@
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
- # include snippets/snakeoil.conf;
#
- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
- # ssl_ciphers HIGH:!aNULL:!MD5;
- # ssl_prefer_server_ciphers on;
+ # include snippets/snakeoil.conf;
root /var/www/html;
diff -Nru nginx-1.6.2/debian/copyright nginx-1.6.2/debian/copyright
--- nginx-1.6.2/debian/copyright 2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/copyright 2014-11-30 11:05:49.000000000 +0200
@@ -85,6 +85,10 @@
Copyright: Copyright (c) Adrian Perez <ape...@igalia.com>
License: BSD-2-clause
+Files: debian/modules/ngx_http_substitutions_filter_module/*
+Copyright: Copyright (C) 2014 by Weibin Yao <yaowei...@gmail.com>
+License: BSD-2-clause
+
Files: debian/*
Copyright: 2007-2009, Fabio Tranchitella <kob...@debian.org>
2008, Jose Parrella <joseparre...@cantv.net>
diff -Nru nginx-1.6.2/debian/nginx-common.NEWS
nginx-1.6.2/debian/nginx-common.NEWS
--- nginx-1.6.2/debian/nginx-common.NEWS 2014-10-19 08:24:13.000000000
+0300
+++ nginx-1.6.2/debian/nginx-common.NEWS 2014-11-30 11:05:49.000000000
+0200
@@ -1,3 +1,10 @@
+nginx-common (1.6.2-5) unstable; urgency=medium
+
+ We have disabled SSLv3 in nginx.conf for security reasons (ref: POODLE),
+ don't forget to re-enable it if your site depends on it.
+
+ -- Christos Trochalakis <yati...@ideopolis.gr> Sun, 02 Nov 2014 09:10:09
+0200
+
nginx-common (1.6.2-3) unstable; urgency=medium
Starting with this release, we changed the default document root from
diff -Nru nginx-1.6.2/debian/nginx-common.postinst
nginx-1.6.2/debian/nginx-common.postinst
--- nginx-1.6.2/debian/nginx-common.postinst 2014-10-19 08:24:13.000000000
+0300
+++ nginx-1.6.2/debian/nginx-common.postinst 2014-11-30 11:05:49.000000000
+0200
@@ -8,6 +8,8 @@
/etc/nginx/naxsi_core.rules 1.6.2-2~ -- "$@"
dpkg-maintscript-helper rm_conffile \
/etc/nginx/naxsi-ui.conf.1.4.1 1.6.2-2~ -- "$@"
+dpkg-maintscript-helper rm_conffile \
+ /etc/nginx/naxsi-ui.conf 1.6.2-2~ -- "$@"
case "$1" in
configure)
diff -Nru nginx-1.6.2/debian/nginx-common.postrm
nginx-1.6.2/debian/nginx-common.postrm
--- nginx-1.6.2/debian/nginx-common.postrm 2014-10-19 08:24:13.000000000
+0300
+++ nginx-1.6.2/debian/nginx-common.postrm 2014-11-30 11:05:49.000000000
+0200
@@ -8,6 +8,8 @@
/etc/nginx/naxsi_core.rules 1.6.2-2~ -- "$@"
dpkg-maintscript-helper rm_conffile \
/etc/nginx/naxsi-ui.conf.1.4.1 1.6.2-2~ -- "$@"
+dpkg-maintscript-helper rm_conffile \
+ /etc/nginx/naxsi-ui.conf 1.6.2-2~ -- "$@"
case "$1" in
purge)
diff -Nru nginx-1.6.2/debian/nginx-common.preinst
nginx-1.6.2/debian/nginx-common.preinst
--- nginx-1.6.2/debian/nginx-common.preinst 2014-10-19 08:24:13.000000000
+0300
+++ nginx-1.6.2/debian/nginx-common.preinst 2014-11-30 11:05:49.000000000
+0200
@@ -8,6 +8,8 @@
/etc/nginx/naxsi_core.rules 1.6.2-2~ -- "$@"
dpkg-maintscript-helper rm_conffile \
/etc/nginx/naxsi-ui.conf.1.4.1 1.6.2-2~ -- "$@"
+dpkg-maintscript-helper rm_conffile \
+ /etc/nginx/naxsi-ui.conf 1.6.2-2~ -- "$@"
case "$1" in
install)
diff -Nru nginx-1.6.2/debian/README.Debian nginx-1.6.2/debian/README.Debian
--- nginx-1.6.2/debian/README.Debian 2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/README.Debian 2014-11-30 11:05:49.000000000 +0200
@@ -1,9 +1,50 @@
README for Debian
-----------------
- Files under /var/www/ are not supported as per Debian Policy.
- Please see: http://lintian.debian.org/tags/dir-or-file-in-var-www.html and,
- http://www.pathname.com/fhs/pub/fhs-2.3.html#THEVARHIERARCHY for more
- details and explanations.
- -- Kartik Mistry <kar...@debian.org> Fri, 05 Mar 2010 13:31:15 +0530
+Noteworthy Changes Wheezy => Jessie
+===================================
+
+
+* Disabled sslv3 by default
+
+ After POODLE we followed suit and disabled SSLv3 by default.
+
+* /var/log/nginx permissions
+
+ /var/log/nginx/ is now not readable by default (www-data:adm 750),
+ If you depend on that you can add a manual override with dpkg-statoverride.
+
+* New upgrade & rotate initscript commands
+
+ You can now upgrade the nginx binary on the fly with /etc/init.d/nginx
upgrade
+ (Read more on http://nginx.org/en/docs/control.html#upgrade)
+
+* Synced configuration files are with upstream
+
+ Unfortunately that might break existing configuration for some users,
especially
+ fastcgi scripts. /usr/share/doc/nginx-common/NEWS.Debian.gz contains some
+ more information about the changes made.
+
+* Changed document root to /var/www/html
+
+ The default document root has now changed to /var/www/html/.
+
+* Added a snippets directory
+
+ A /etc/nginx/snippets has been added, it contains common configuration
+ stangas. For now we ship a snakeoil.conf (self-signed ssl) and a simple
+ fastcgi-php.conf.
+
+* Switched to graceful stop
+
+ Both systemd and the initscript's stop function try to graceful stop
+ nginx (SIGQUIT) before stopping it fast (SIGTERM). That allows nginx to
+ serve connected clients before shutting down.
+
+* Dropped nginx-naxsi
+
+ Packaging naxsi was not trivial and, unfortunately, none of the
+ maintainers uses it. That's the reason nginx-naxsi was not in a good
+ shape and we are not feeling comfortable to release and support it.
+
