Bug 1302337 - nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6]
Summary: nginx: update for CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 [epel-6]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nginx
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Jamie Nguyen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: fst_owner=dcafaro
Depends On:
Blocks: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747
TreeView+ depends on / blocked
 
Reported: 2016-01-27 14:12 UTC by Pim Rupert
Modified: 2016-09-06 21:18 UTC (History)
11 users (show)

Fixed In Version: nginx-1.10.1-1.el6
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-06 21:17:48 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1302334 None None None Never

Internal Links: 1302334

Description Pim Rupert 2016-01-27 14:12:23 UTC 
Description of problem:
Current version of Nginx 1.6.3 in EPEL6 is out-dated and contains vulnerabilities.

See: http://nginx.org/en/security_advisories.html

Solution: rebase to Nginx 1.8.1
Comment 1 Pim Rupert 2016-01-27 14:20:35 UTC 
Correction, I meant to say that the current version in EPEL6 is 1.0.15. I still think a rebase to 1.8 is useful to avoid the vulnerabilities.
Comment 2 Jamie Nguyen 2016-01-27 14:40:52 UTC 
This is a real problem that doesn't have a perfect solution. Unfortunately, packaging policy is rather strict for "stable" distributions like RHEL and Debian. Major version updates are strongly discouraged.

However, one might be justified in pushing a major version update if there are unfixed security issues that cannot be backported. Backporting the 6 commits that fix the 3 CVEs from yesterday is proving difficult due to the ancient version of Nginx, and may be beyond my expertise. I will give it another shot, but if I'm unable to backport then I may post to ML for discussion about a major version update.
Comment 4 David A. Cafaro 2016-03-16 13:21:18 UTC 
I read up on the thread, are you still moving forward with the update to latest release path?  (Which I support)
Comment 5 Fedora Update System 2016-07-02 20:07:22 UTC 
nginx-1.10.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890
Comment 6 Fedora Update System 2016-07-03 11:18:39 UTC 
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7a25f65890
Comment 7 Fedora Update System 2016-09-06 21:17:35 UTC 
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-09-06 21:18:32 UTC 
nginx-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.