Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Hello,
I have prepared an upload for nginx that I'd like to upload to sid and
get an exception for jessie.
1.6.2-5 (not yet uploaded) includes an important bug fix (disable sslv3
by default) that is somewhat important to be included in jessie, since
all other (web) servers have already disabled SSLv3.
Apart from that, I have included some minor packaging and documentation
fixes that are nice-to-have. I believe that they are safe enough to be
included if that's ok with the release team.
The relevant changelog entries:
* debian/conf/nginx.conf:
+ Drop SSLv3 protocol (POODLE), and prefer server ciphers
by default. (Closes: #767456)
* debian/copyright:
+ Add copyright for ngx_http_substitutions_filter_module.
* debian/nginx-common.{preinst,postinst,postrm}:
+ Remove /etc/nginx/naxsi-ui.conf conffile. (Closes: #768233)
* debian/README.Debian:
+ Add a list of important changes since wheezy.
I am also attaching a debdiff from testing. The changes are also pushed to
the for_jessie branch in our collab-maint repo:
http://anonscm.debian.org/cgit/collab-maint/nginx.git/log/?h=for_jessie
Please inform me if those changes are approved by the release team or if I
have to drop some of the fixes.
Thanks in advance,
chris
diff -Nru nginx-1.6.2/debian/changelog nginx-1.6.2/debian/changelog
--- nginx-1.6.2/debian/changelog2014-10-19 08:24:13.0 +0300
+++ nginx-1.6.2/debian/changelog2014-11-30 11:05:49.0 +0200
@@ -1,3 +1,18 @@
+nginx (1.6.2-5) unstable; urgency=medium
+
+ [ Christos Trochalakis ]
+ * debian/conf/nginx.conf:
++ Drop SSLv3 protocol (POODLE), and prefer server ciphers
+ by default. (Closes: #767456)
+ * debian/copyright:
++ Add copyright for ngx_http_substitutions_filter_module.
+ * debian/nginx-common.{preinst,postinst,postrm}:
++ Remove /etc/nginx/naxsi-ui.conf conffile. (Closes: #768233)
+ * debian/README.Debian:
++ Add a list of important changes since wheezy.
+
+ -- Christos Trochalakis yati...@ideopolis.gr Sun, 30 Nov 2014 10:39:55
+0200
+
nginx (1.6.2-4) unstable; urgency=medium
[ Christos Trochalakis ]
diff -Nru nginx-1.6.2/debian/conf/nginx.conf nginx-1.6.2/debian/conf/nginx.conf
--- nginx-1.6.2/debian/conf/nginx.conf 2014-10-19 08:24:13.0 +0300
+++ nginx-1.6.2/debian/conf/nginx.conf 2014-11-30 11:05:49.0 +0200
@@ -27,6 +27,13 @@
default_type application/octet-stream;
##
+ # SSL Settings
+ ##
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ ssl_prefer_server_ciphers on;
+
+ ##
# Logging Settings
##
diff -Nru nginx-1.6.2/debian/conf/sites-available/default
nginx-1.6.2/debian/conf/sites-available/default
--- nginx-1.6.2/debian/conf/sites-available/default 2014-10-19
08:24:13.0 +0300
+++ nginx-1.6.2/debian/conf/sites-available/default 2014-11-30
11:05:49.0 +0200
@@ -24,11 +24,8 @@
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
- # include snippets/snakeoil.conf;
#
- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
- # ssl_ciphers HIGH:!aNULL:!MD5;
- # ssl_prefer_server_ciphers on;
+ # include snippets/snakeoil.conf;
root /var/www/html;
diff -Nru nginx-1.6.2/debian/copyright nginx-1.6.2/debian/copyright
--- nginx-1.6.2/debian/copyright2014-10-19 08:24:13.0 +0300
+++ nginx-1.6.2/debian/copyright2014-11-30 11:05:49.0 +0200
@@ -85,6 +85,10 @@
Copyright: Copyright (c) Adrian Perez ape...@igalia.com
License: BSD-2-clause
+Files: debian/modules/ngx_http_substitutions_filter_module/*
+Copyright: Copyright (C) 2014 by Weibin Yao yaowei...@gmail.com
+License: BSD-2-clause
+
Files: debian/*
Copyright: 2007-2009, Fabio Tranchitella kob...@debian.org
2008, Jose Parrella joseparre...@cantv.net
diff -Nru nginx-1.6.2/debian/nginx-common.NEWS
nginx-1.6.2/debian/nginx-common.NEWS
--- nginx-1.6.2/debian/nginx-common.NEWS2014-10-19 08:24:13.0
+0300
+++ nginx-1.6.2/debian/nginx-common.NEWS2014-11-30 11:05:49.0
+0200
@@ -1,3 +1,10 @@
+nginx-common (1.6.2-5) unstable; urgency=medium
+
+ We have disabled SSLv3 in nginx.conf for security reasons (ref: POODLE),
+ don't forget to re-enable it if your site depends on it.
+
+ -- Christos Trochalakis yati...@ideopolis.gr Sun, 02 Nov 2014 09:10:09
+0200
+
nginx-common (1.6.2-3) unstable; urgency=medium
Starting with this release, we changed the default document root from
diff -Nru nginx-1.6.2/debian/nginx-common.postinst
nginx-1.6.2/debian/nginx-common.postinst
--- nginx-1.6.2/debian/nginx-common.postinst2014-10-19 08:24:13.0
+0300
+++ nginx-1.6.2/debian/nginx-common.postinst2014-11-30 11:05:49.0
+0200