On Jan 29, 2016 14:52, "Jamie Nguyen" <[email protected]> wrote: > > Hi, > > A few days ago, three CVEs for Nginx and were fixed in 1.8.1. Upstream > only maintain 1.8.x and above, so they didn't release any fixes for > older versions of Nginx. I was able to backport the relevant commits to > Nginx 1.6.x on EL7. >
Thank-you for your request. I think that this is a good candidate for a break in all three channels. I will try to get enough EPSco people to look at this and give feedback while we are at FOSDEM. Hope to have a +1 for you soon > Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but > backporting the patches reliably without creating new CVEs is beyond my > expertise. Nginx 0.8.x on EL5 is prehistoric. > > This leaves the package in a bit of a pickle. Leaving things as they are > would leave web servers vulnerable. On the other hand, updating Nginx to > 1.8.x on EL5/6/7 will inevitably break something for someone (eg, via > yum-cron). I had a small discussion on fedora-devel ML about the > situation [0], and the consensus was to request for an exception. > > My plan: > 1. Update to 1.8.x on all branches (or to as recent a version as they > can go without FTBFS) > 2. Leave them in epel-testing for a prolonged period, probably until the > next point release of RHEL. > 3. Include some migration notes with the RPMs, and also post these notes > to epel-devel/epel-announce. > > Sound reasonable? > > [0]: > https://lists.fedoraproject.org/archives/list/[email protected]/thread/VFCIBCTGIYMVJCCUE3ZQVAARVHUF3YPP/ > > Kind regards, > Jamie > _______________________________________________ > epel-devel mailing list > [email protected] > http://lists.fedoraproject.org/admin/lists/[email protected]
_______________________________________________ epel-devel mailing list [email protected] http://lists.fedoraproject.org/admin/lists/[email protected]
