Bug 1302337 - nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6]
nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6]
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: nginx (Show other bugs)
el6
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Jamie Nguyen
Fedora Extras Quality Assurance
fst_owner=dcafaro
: Security, SecurityTracking
Depends On:
Blocks: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747
  Show dependency treegraph
 
Reported: 2016-01-27 09:12 EST by Pim Rupert
Modified: 2016-09-06 17:18 EDT (History)
11 users (show)

See Also:
Fixed In Version: nginx-1.10.1-1.el6
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-06 17:17:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pim Rupert 2016-01-27 09:12:23 EST
Description of problem:
Current version of Nginx 1.6.3 in EPEL6 is out-dated and contains vulnerabilities.

See: http://nginx.org/en/security_advisories.html

Solution: rebase to Nginx 1.8.1
Comment 1 Pim Rupert 2016-01-27 09:20:35 EST
Correction, I meant to say that the current version in EPEL6 is 1.0.15. I still think a rebase to 1.8 is useful to avoid the vulnerabilities.
Comment 2 Jamie Nguyen 2016-01-27 09:40:52 EST
This is a real problem that doesn't have a perfect solution. Unfortunately, packaging policy is rather strict for "stable" distributions like RHEL and Debian. Major version updates are strongly discouraged.

However, one might be justified in pushing a major version update if there are unfixed security issues that cannot be backported. Backporting the 6 commits that fix the 3 CVEs from yesterday is proving difficult due to the ancient version of Nginx, and may be beyond my expertise. I will give it another shot, but if I'm unable to backport then I may post to ML for discussion about a major version update.
Comment 4 David A. Cafaro 2016-03-16 09:21:18 EDT
I read up on the thread, are you still moving forward with the update to latest release path?  (Which I support)
Comment 5 Fedora Update System 2016-07-02 16:07:22 EDT
nginx-1.10.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890
Comment 6 Fedora Update System 2016-07-03 07:18:39 EDT
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890
Comment 7 Fedora Update System 2016-09-06 17:17:35 EDT
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-09-06 17:18:32 EDT
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.