Hi, A few days ago, three CVEs for Nginx and were fixed in 1.8.1. Upstream only maintain 1.8.x and above, so they didn't release any fixes for older versions of Nginx. I was able to backport the relevant commits to Nginx 1.6.x on EL7.
Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but backporting the patches reliably without creating new CVEs is beyond my expertise. Nginx 0.8.x on EL5 is prehistoric. This leaves the package in a bit of a pickle. Leaving things as they are would leave web servers vulnerable. On the other hand, updating Nginx to 1.8.x on EL5/6/7 will inevitably break something for someone (eg, via yum-cron). I had a small discussion on fedora-devel ML about the situation [0], and the consensus was to request for an exception. My plan: 1. Update to 1.8.x on all branches (or to as recent a version as they can go without FTBFS) 2. Leave them in epel-testing for a prolonged period, probably until the next point release of RHEL. 3. Include some migration notes with the RPMs, and also post these notes to epel-devel/epel-announce. Sound reasonable? [0]: https://lists.fedoraproject.org/archives/list/[email protected]/thread/VFCIBCTGIYMVJCCUE3ZQVAARVHUF3YPP/ Kind regards, Jamie _______________________________________________ epel-devel mailing list [email protected] http://lists.fedoraproject.org/admin/lists/[email protected]
