[Pkg-nginx-maintainers] Bug#991328: NGINX patch for CVE pending in Salsa

[Thomas Ward]

Control: tags -1 + pending

Looks like, at first glance the patchset applies properly in 1.20.2 
(3-line offset but no fuzz) as is.  I've pushed this into Salsa so it's 
pending in UNRELEASED 1.20.2-2 at the moment in Salsa.


Thomas


On 5/4/22 15:44, Salvatore Bonaccorso wrote:
> Hi Thomas,
>
> On Wed, May 04, 2022 at 07:22:22PM +0000, Thomas Ward wrote:
>> You are correct - bage@ saying this was fixed and should've been
>> included in changelogs in the RFS threw me off.  The fix requires
>> new commands and essentially 'functionality' added which is probably
>> why it wasn't added in upstream.  I could've sworn I included this
>> patch pre-upload but that might've been my fault that it didn't get
>> included, which is also my fault.
>>
>> I can either backport this, or we can wait for the next nginx stable
>> release 1.22 which should be coming "sometime soon" unless F5 has
>> changed the development/release schedule.  In which case unmarking
>> this as fixed and keeping it open is going to be necessary.  I
>> believe we only track nginx stable (the even number releases) not
>> mainline, which may have led to this.
>>
>> I'll prep a backported patch, if it imports cleanly.  If it doesn't,
>> we'll have to wait for 1.22 release of NGINX OSS.
> Many thanks for your quick confirmation! I do not think it's
> particularly pressing, if the fix does not apply or is not
> backportable to 1.20.x then when ready moving to 1.22 is fine. Ideally
> the fix is applied for bookworm.
>
> Thanks for working on those updates!
>
> Regards,
> Salvatore
>