Nginx Debian vulnerabilities

António P. P. Almeida appa at
Sat Aug 14 01:52:00 MSD 2010

On 13 Ago 2010 22h28 WEST, nunomagalhaes at wrote:

> Hi,
> IIRC from asking once, they don't apply patches, they just bundle.
> However, even on Sid nginx is way behind, so i prefer to build from
> source, install with checkinstall (so i can purge if necessary and
> to keep things overall clean), and pin it.

Not quite. Here's how the current version on Sid/Squeeze, 0.7.67 is
structured when unpacking the src .deb pkg.

in the nginx-0.7.67/debian/patches directory:

-rwxr-xr-x 1 appa appa   921 Ago  9 10:24 dlopen.diff
-rw-r--r-- 1 appa appa   587 Ago  9 10:24 fix_reloading_ipv6.diff
-rw-r--r-- 1 appa appa 44205 Ago  9 10:24 nginx-upstream-fair.diff
-rw-r--r-- 1 appa appa    93 Ago  9 10:24 series

According to, 0.7.67 is the *stable*
version. So yes debian is behind the *development* version but is
synched with the stable version.

checkinstall is just an incredible brittle tool for packaging
software. Debian packaging is somewhat complex. There are reasons for
that. Maintaining system consistency being one of them.

You're better off just compiling the original source and installing it
under /usr/local/sbin. Be sure to have the proper PATH settings and
all should work. Use epkg ( to have the all
thing fit in one central location with automagical symlinks to the
proper locations. You can even have both the Debian package and your
custom compiled from source version. Of the right way (tm) is to roll
your own .deb package with the proper policy.

--- appa

More information about the nginx mailing list