Bug 1302337

Summary: nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6]
Product: [Fedora] Fedora EPEL Reporter: Pim Rupert <pim>
Component: nginxAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: affix, athmanem, bperkins, dac, jeremy, jkaluza, just4nick, pavel.lisy, redhat-bugzilla, wtogami
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: fst_owner=dcafaro
Fixed In Version: nginx-1.10.1-1.el6 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-06 21:17:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1302587, 1302588, 1302589    

Description Pim Rupert 2016-01-27 14:12:23 UTC
Description of problem:
Current version of Nginx 1.6.3 in EPEL6 is out-dated and contains vulnerabilities.

See: http://nginx.org/en/security_advisories.html

Solution: rebase to Nginx 1.8.1

Comment 1 Pim Rupert 2016-01-27 14:20:35 UTC
Correction, I meant to say that the current version in EPEL6 is 1.0.15. I still think a rebase to 1.8 is useful to avoid the vulnerabilities.

Comment 2 Jamie Nguyen 2016-01-27 14:40:52 UTC
This is a real problem that doesn't have a perfect solution. Unfortunately, packaging policy is rather strict for "stable" distributions like RHEL and Debian. Major version updates are strongly discouraged.

However, one might be justified in pushing a major version update if there are unfixed security issues that cannot be backported. Backporting the 6 commits that fix the 3 CVEs from yesterday is proving difficult due to the ancient version of Nginx, and may be beyond my expertise. I will give it another shot, but if I'm unable to backport then I may post to ML for discussion about a major version update.

Comment 4 David A. Cafaro 2016-03-16 13:21:18 UTC
I read up on the thread, are you still moving forward with the update to latest release path?  (Which I support)

Comment 5 Fedora Update System 2016-07-02 20:07:22 UTC
nginx-1.10.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890

Comment 6 Fedora Update System 2016-07-03 11:18:39 UTC
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890

Comment 7 Fedora Update System 2016-09-06 21:17:35 UTC
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-09-06 21:18:32 UTC
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.