Bug 1302337
Summary: | nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6] | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Pim Rupert <pim> |
Component: | nginx | Assignee: | Nobody's working on this, feel free to take it <nobody> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | el6 | CC: | affix, athmanem, bperkins, dac, jeremy, jkaluza, just4nick, pavel.lisy, redhat-bugzilla, wtogami |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | fst_owner=dcafaro | ||
Fixed In Version: | nginx-1.10.1-1.el6 | Doc Type: | Release Note |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-06 21:17:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1302587, 1302588, 1302589 |
Description
Pim Rupert
2016-01-27 14:12:23 UTC
Correction, I meant to say that the current version in EPEL6 is 1.0.15. I still think a rebase to 1.8 is useful to avoid the vulnerabilities. This is a real problem that doesn't have a perfect solution. Unfortunately, packaging policy is rather strict for "stable" distributions like RHEL and Debian. Major version updates are strongly discouraged. However, one might be justified in pushing a major version update if there are unfixed security issues that cannot be backported. Backporting the 6 commits that fix the 3 CVEs from yesterday is proving difficult due to the ancient version of Nginx, and may be beyond my expertise. I will give it another shot, but if I'm unable to backport then I may post to ML for discussion about a major version update. I read up on the thread, are you still moving forward with the update to latest release path? (Which I support) nginx-1.10.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890 nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890 nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |