Bug 1867261

Summary: EPEL7 nginx package contains CVEs and it's two major versions behind.
Product: [Fedora] Fedora EPEL Reporter: Dave <daveoz>
Component: nginxAssignee: Felix Kaechele <felix>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: affix, athmanem, daveoz, jeremy, jkaluza, jorton, luhliari, pavel.lisy, peter.borsa, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: nginx-1.16.1-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-01 00:31:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave 2020-08-07 22:28:07 UTC 
EPEL7 currently includes nginx 1.16.1, which is vulnerable to multiple CVS including CVE-2019-20372 and which will not be patched upstream due to being EOL. Version 1.18.0 is the stable version available that has CVEs patched.

Version-Release number of selected component (if applicable):

nginx.x86_64 1:1.16.1-1.el7

How reproducible:

Always

Steps to Reproduce:

1. yum install nginx

Actual results:

nginx is version 1.16.1

Expected results:

nginx should be version 1.18.0
Comment 1 Dave 2020-09-15 19:09:47 UTC 
Any updates on this?
Comment 2 Fedora Update System 2020-09-16 00:53:17 UTC 
FEDORA-EPEL-2020-0f3f88c479 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f3f88c479
Comment 3 Felix Kaechele 2020-09-16 00:59:17 UTC 
I had in fact already prepared an update for EPEL7 which contains the patch for that CVE. I've pushed that update now.

As per EPEL Packaging Guidelines the major version upgrade is not necessary here as there are patches to fix the security issues.

The patch used in the upgrade is the same that Red Hat ships in their nginx SCL for EL 7. So if it's good enough for their customers it should be good enough for EPEL users ;-)
Comment 4 Dave 2020-09-16 01:07:58 UTC 
Thank you so much, Felix.
I appreciate that. I'll be updating our servers on the next patching cycle to have that updated nginx. :)

Have a good rest of your day!
- Dave
Comment 5 Fedora Update System 2020-09-16 14:40:09 UTC 
FEDORA-EPEL-2020-0f3f88c479 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f3f88c479

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-10-01 00:31:06 UTC 
FEDORA-EPEL-2020-0f3f88c479 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.