Bug 1867261 - EPEL7 nginx package contains CVEs and it's two major versions behind.
Summary: EPEL7 nginx package contains CVEs and it's two major versions behind.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nginx
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Felix Kaechele
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-07 22:28 UTC by Dave
Modified: 2020-10-01 00:31 UTC (History)
10 users (show)

Fixed In Version: nginx-1.16.1-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-01 00:31:06 UTC
Type: Bug


Attachments (Terms of Use)

Description Dave 2020-08-07 22:28:07 UTC
EPEL7 currently includes nginx 1.16.1, which is vulnerable to multiple CVS including CVE-2019-20372 and which will not be patched upstream due to being EOL. Version 1.18.0 is the stable version available that has CVEs patched.

Version-Release number of selected component (if applicable):

nginx.x86_64 1:1.16.1-1.el7

How reproducible:

Always

Steps to Reproduce:

1. yum install nginx

Actual results:

nginx is version 1.16.1

Expected results:

nginx should be version 1.18.0

Comment 1 Dave 2020-09-15 19:09:47 UTC
Any updates on this?

Comment 2 Fedora Update System 2020-09-16 00:53:17 UTC
FEDORA-EPEL-2020-0f3f88c479 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f3f88c479

Comment 3 Felix Kaechele 2020-09-16 00:59:17 UTC
I had in fact already prepared an update for EPEL7 which contains the patch for that CVE. I've pushed that update now.

As per EPEL Packaging Guidelines the major version upgrade is not necessary here as there are patches to fix the security issues.

The patch used in the upgrade is the same that Red Hat ships in their nginx SCL for EL 7. So if it's good enough for their customers it should be good enough for EPEL users ;-)

Comment 4 Dave 2020-09-16 01:07:58 UTC
Thank you so much, Felix.
I appreciate that. I'll be updating our servers on the next patching cycle to have that updated nginx. :)

Have a good rest of your day!
- Dave

Comment 5 Fedora Update System 2020-09-16 14:40:09 UTC
FEDORA-EPEL-2020-0f3f88c479 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f3f88c479

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-10-01 00:31:06 UTC
FEDORA-EPEL-2020-0f3f88c479 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.