Red Hat Bugzilla – Bug 1302337
nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6]
Last modified: 2016-09-06 17:18:32 EDT
Description of problem:
Current version of Nginx 1.6.3 in EPEL6 is out-dated and contains vulnerabilities.
Solution: rebase to Nginx 1.8.1
Correction, I meant to say that the current version in EPEL6 is 1.0.15. I still think a rebase to 1.8 is useful to avoid the vulnerabilities.
This is a real problem that doesn't have a perfect solution. Unfortunately, packaging policy is rather strict for "stable" distributions like RHEL and Debian. Major version updates are strongly discouraged.
However, one might be justified in pushing a major version update if there are unfixed security issues that cannot be backported. Backporting the 6 commits that fix the 3 CVEs from yesterday is proving difficult due to the ancient version of Nginx, and may be beyond my expertise. I will give it another shot, but if I'm unable to backport then I may post to ML for discussion about a major version update.
I read up on the thread, are you still moving forward with the update to latest release path? (Which I support)
nginx-1.10.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.