Nginx Debian vulnerabilities
António P. P. Almeida
appa at perusio.net
Sat Aug 14 01:52:00 MSD 2010
On 13 Ago 2010 22h28 WEST, nunomagalhaes at eu.ipp.pt wrote:
> IIRC from asking once, they don't apply patches, they just bundle.
> However, even on Sid nginx is way behind, so i prefer to build from
> source, install with checkinstall (so i can purge if necessary and
> to keep things overall clean), and pin it.
Not quite. Here's how the current version on Sid/Squeeze, 0.7.67 is
structured when unpacking the src .deb pkg.
in the nginx-0.7.67/debian/patches directory:
-rwxr-xr-x 1 appa appa 921 Ago 9 10:24 dlopen.diff
-rw-r--r-- 1 appa appa 587 Ago 9 10:24 fix_reloading_ipv6.diff
-rw-r--r-- 1 appa appa 44205 Ago 9 10:24 nginx-upstream-fair.diff
-rw-r--r-- 1 appa appa 93 Ago 9 10:24 series
According to http://nginx.org/en/download.html, 0.7.67 is the *stable*
version. So yes debian is behind the *development* version but is
synched with the stable version.
checkinstall is just an incredible brittle tool for packaging
software. Debian packaging is somewhat complex. There are reasons for
that. Maintaining system consistency being one of them.
You're better off just compiling the original source and installing it
under /usr/local/sbin. Be sure to have the proper PATH settings and
all should work. Use epkg (http://www.encap.org/epkg) to have the all
thing fit in one central location with automagical symlinks to the
proper locations. You can even have both the Debian package and your
custom compiled from source version. Of the right way (tm) is to roll
your own .deb package with the proper policy.
More information about the nginx