-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
I am proxy maintaining the nginx package on Gentoo. Regarding the recent "httpoxy" problem (you already published a blog posting [1] with instructions how to mitigate the problem) we are unsure if we should update our package to ship your mitigation per default, i.e. altering your "fastcgi_param" file and add > fastcgi_param HTTP_PROXY ""; This would protect default configurations. However some setups might require a proxy which could break when fastcgi_param file will be sourced after user's configuration. - From my point of view this is a user education problem: If they know what they are doing they won't have to do anything: They should be fine already or at least will set their required values *after* sourcing the default fastcgi_param file. For Gentoo we would use our elog and/or news system to tell the user about the changes. However we want to know if you, upstream, are going to change the default shipped fastcgi_param file (don't forget the .conf file) with the next upcoming release to include a "safer" default configuration as well or if there are reasons not to ship such a default and maybe you recommend us also to do nothing. Thanks. [1] https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-ngi nx/ - -- Regards, Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1 iQJ8BAEBCgBmBQJXji+LXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5 NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/IIFMQAIl3gyTbLRVnX22RPrQcV/Be NI5WSp+hd+D2DMSxunf5Rljedt2Yw7ODCtq3GCF3bC0xDMuMwsyHzxlUtvhUYqz1 PYz8n/b/76ba/rN0mMu3HWiCBbvnJ+gFd0QMNL8vP4ucabqYyPteTYN7ksSROh6C hDej3VFDYYQsTHLhG8E8q4l9FcxEuOFnOK4H1B1aR9ti+juwysALbXa8rHx5JgYU mgYbJvajB59gf6ks5VhN3HKHxZLdpvL8fPHwQw+pQIEpKRG5Qe11bOzRmsqQ7zvo UagfvkIUHtBMnj5HH9mHGHY/Y1CVVWLwD81mC1kDpvJzlaKBhWPGm4a1g4Lnm+B4 sm5xQXF2s21mdp+PTB2qn6AujC5Lh4WPcHM0ZhJ4HTo15L0Z/4sbt/dh6s99I6Va 1G1YXDzZSUB9N777YYjIslNKXGFHM1oBx2UsChVo40PnvmQidZKJ1z9n0cOaiUVd IRM1DAL6FCNCrPpPhgRKVs+VfJoNwCndD47zLhhy2xGvJUbUr9i3u6pF9THf3Nhp LCaIQunB1r01QY0aUJT3WK6NfFcdyXy8SCtrTT8PWa/cNLCZ0yCe4DYLczgnby9F dyTHXg8BjP/o+kQHl4e+Z7tEuAmmRgQ/BUehWyJppp/VuCVfILBfthquO++ItGCP Z4yj87/isys7QInSO7I1 =H+YL -----END PGP SIGNATURE----- _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel