EPEL7 currently includes nginx 1.16.1, which is vulnerable to multiple CVS including CVE-2019-20372 and which will not be patched upstream due to being EOL. Version 1.18.0 is the stable version available that has CVEs patched.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. yum install nginx
nginx is version 1.16.1
nginx should be version 1.18.0
Any updates on this?
FEDORA-EPEL-2020-0f3f88c479 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f3f88c479
I had in fact already prepared an update for EPEL7 which contains the patch for that CVE. I've pushed that update now.
As per EPEL Packaging Guidelines the major version upgrade is not necessary here as there are patches to fix the security issues.
The patch used in the upgrade is the same that Red Hat ships in their nginx SCL for EL 7. So if it's good enough for their customers it should be good enough for EPEL users ;-)
Thank you so much, Felix.
I appreciate that. I'll be updating our servers on the next patching cycle to have that updated nginx. :)
Have a good rest of your day!
FEDORA-EPEL-2020-0f3f88c479 has been pushed to the Fedora EPEL 7 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f3f88c479
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-0f3f88c479 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.