On 29 January 2016 at 06:51, Jamie Nguyen <j...@jamielinux.com> wrote: > Hi, > > A few days ago, three CVEs for Nginx and were fixed in 1.8.1. Upstream > only maintain 1.8.x and above, so they didn't release any fixes for > older versions of Nginx. I was able to backport the relevant commits to > Nginx 1.6.x on EL7. > > Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but > backporting the patches reliably without creating new CVEs is beyond my > expertise. Nginx 0.8.x on EL5 is prehistoric. > > This leaves the package in a bit of a pickle. Leaving things as they are > would leave web servers vulnerable. On the other hand, updating Nginx to > 1.8.x on EL5/6/7 will inevitably break something for someone (eg, via > yum-cron). I had a small discussion on fedora-devel ML about the > situation [0], and the consensus was to request for an exception. > > My plan: > 1. Update to 1.8.x on all branches (or to as recent a version as they > can go without FTBFS) > 2. Leave them in epel-testing for a prolonged period, probably until the > next point release of RHEL. > 3. Include some migration notes with the RPMs, and also post these notes > to epel-devel/epel-announce. > > Sound reasonable?
And it looks like I missed sending a final response on this. We talked about this at the EPEL Steering Committee meeting and approve of this plan. Please update to 1.8 (if you haven't already) and follow through. -- Stephen J Smoogen. _______________________________________________ epel-devel mailing list epel-devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/epel-devel@lists.fedoraproject.org
