After additional discussion with the server team and members of the
security team, we do not believe that this qualifies as an SRU. It does
not provide any significant benefit other than hardening, and does not
qualify for SRU.
As such, I am setting "Won't Fix" in Precise through Utopic, but leaving Vivid
alone for now. Here's some additional considerations for Vivid (and also
earlier stable releases), brought up during that discussion:
* Turning on PIE in stable releases will have a detrimental performance impact
on 32-bit platforms (and will likely annoy people who are using nginx on 32-bit
platforms for its performance.
* While "PIE isn't turned on though expected for security-sensitive packages"
would possibly be a valid reason to get a change into Vivid during the current
freeze, the performance impact on 32-bit platforms would make this a possible
blocking point.
It is possible/likely that Vivid+1 will have this fixed there, as Debian has
'committed' a fix that may likely be available by that time (and merged in at
some point in the Vivid+1 cycle).
** Changed in: nginx (Ubuntu Precise)
Status: Triaged => Won't Fix
** Changed in: nginx (Ubuntu Trusty)
Status: Triaged => Won't Fix
** Changed in: nginx (Ubuntu Utopic)
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1315426
Title:
nginx not built as position independent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1315426/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
