[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#771511: marked as done (pre-approve: nginx/1.6.2-5)

Your message dated Mon, 01 Dec 2014 13:27:51 +0000
with message-id <9d5e3a972caca552be6abfd74c8e4fff@mail.adsl.funky-badger.org>
and subject line Re: Bug#771511: pre-approve: nginx/1.6.2-5
has caused the Debian Bug report #771511,
regarding pre-approve: nginx/1.6.2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771511: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771511
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org

Hello,

I have prepared an upload for nginx that I'd like to upload to sid and
get an  exception for jessie.

1.6.2-5 (not yet uploaded) includes an important bug fix (disable sslv3
by default) that is somewhat important to be included in jessie, since
all other (web) servers have already disabled SSLv3.

Apart from that, I have included some minor packaging and documentation
fixes that are nice-to-have. I believe that they are safe enough to be
included if that's ok with the release team.

The relevant changelog entries:

 * debian/conf/nginx.conf:
   + Drop SSLv3 protocol (POODLE), and prefer server ciphers
     by default. (Closes: #767456)
 * debian/copyright:
   + Add copyright for ngx_http_substitutions_filter_module.
 * debian/nginx-common.{preinst,postinst,postrm}:
   + Remove /etc/nginx/naxsi-ui.conf conffile. (Closes: #768233)
 * debian/README.Debian:
   + Add a list of important changes since wheezy.

I am also attaching a debdiff from testing. The changes are also pushed to
the for_jessie branch in our collab-maint repo:

http://anonscm.debian.org/cgit/collab-maint/nginx.git/log/?h=for_jessie

Please inform me if those changes are approved by the release team or if I
have to drop some of the fixes.

Thanks in advance,
chris


diff -Nru nginx-1.6.2/debian/changelog nginx-1.6.2/debian/changelog
--- nginx-1.6.2/debian/changelog	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/changelog	2014-11-30 11:05:49.000000000 +0200
@@ -1,3 +1,18 @@
+nginx (1.6.2-5) unstable; urgency=medium
+
+  [ Christos Trochalakis ]
+  * debian/conf/nginx.conf:
+    + Drop SSLv3 protocol (POODLE), and prefer server ciphers
+      by default. (Closes: #767456)
+  * debian/copyright:
+    + Add copyright for ngx_http_substitutions_filter_module.
+  * debian/nginx-common.{preinst,postinst,postrm}:
+    + Remove /etc/nginx/naxsi-ui.conf conffile. (Closes: #768233)
+  * debian/README.Debian:
+    + Add a list of important changes since wheezy.
+
+ -- Christos Trochalakis <yatiohi@ideopolis.gr>  Sun, 30 Nov 2014 10:39:55 +0200
+
 nginx (1.6.2-4) unstable; urgency=medium
 
   [ Christos Trochalakis ]
diff -Nru nginx-1.6.2/debian/conf/nginx.conf nginx-1.6.2/debian/conf/nginx.conf
--- nginx-1.6.2/debian/conf/nginx.conf	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/conf/nginx.conf	2014-11-30 11:05:49.000000000 +0200
@@ -27,6 +27,13 @@
 	default_type application/octet-stream;
 
 	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
 	# Logging Settings
 	##
 
diff -Nru nginx-1.6.2/debian/conf/sites-available/default nginx-1.6.2/debian/conf/sites-available/default
--- nginx-1.6.2/debian/conf/sites-available/default	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/conf/sites-available/default	2014-11-30 11:05:49.000000000 +0200
@@ -24,11 +24,8 @@
 	#
 	# Self signed certs generated by the ssl-cert package
 	# Don't use them in a production server!
-	# include snippets/snakeoil.conf;
 	#
-	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
-	# ssl_ciphers HIGH:!aNULL:!MD5;
-	# ssl_prefer_server_ciphers on;
+	# include snippets/snakeoil.conf;
 
 	root /var/www/html;
 
diff -Nru nginx-1.6.2/debian/copyright nginx-1.6.2/debian/copyright
--- nginx-1.6.2/debian/copyright	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/copyright	2014-11-30 11:05:49.000000000 +0200
@@ -85,6 +85,10 @@
 Copyright: Copyright (c) Adrian Perez <aperez@igalia.com>
 License: BSD-2-clause
 
+Files: debian/modules/ngx_http_substitutions_filter_module/*
+Copyright: Copyright (C) 2014 by Weibin Yao <yaoweibin@gmail.com>
+License: BSD-2-clause
+
 Files: debian/*
 Copyright: 2007-2009, Fabio Tranchitella <kobold@debian.org>
            2008,      Jose Parrella <joseparrella@cantv.net>
diff -Nru nginx-1.6.2/debian/nginx-common.NEWS nginx-1.6.2/debian/nginx-common.NEWS
--- nginx-1.6.2/debian/nginx-common.NEWS	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/nginx-common.NEWS	2014-11-30 11:05:49.000000000 +0200
@@ -1,3 +1,10 @@
+nginx-common (1.6.2-5) unstable; urgency=medium
+
+  We have disabled SSLv3 in nginx.conf for security reasons (ref: POODLE),
+  don't forget to re-enable it if your site depends on it.
+
+ -- Christos Trochalakis <yatiohi@ideopolis.gr>  Sun, 02 Nov 2014 09:10:09 +0200
+
 nginx-common (1.6.2-3) unstable; urgency=medium
 
   Starting with this release, we changed the default document root from
diff -Nru nginx-1.6.2/debian/nginx-common.postinst nginx-1.6.2/debian/nginx-common.postinst
--- nginx-1.6.2/debian/nginx-common.postinst	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/nginx-common.postinst	2014-11-30 11:05:49.000000000 +0200
@@ -8,6 +8,8 @@
 	          /etc/nginx/naxsi_core.rules    1.6.2-2~ -- "$@"
 dpkg-maintscript-helper rm_conffile \
 	          /etc/nginx/naxsi-ui.conf.1.4.1 1.6.2-2~ -- "$@"
+dpkg-maintscript-helper rm_conffile \
+	          /etc/nginx/naxsi-ui.conf       1.6.2-2~ -- "$@"
 
 case "$1" in
   configure)
diff -Nru nginx-1.6.2/debian/nginx-common.postrm nginx-1.6.2/debian/nginx-common.postrm
--- nginx-1.6.2/debian/nginx-common.postrm	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/nginx-common.postrm	2014-11-30 11:05:49.000000000 +0200
@@ -8,6 +8,8 @@
 	          /etc/nginx/naxsi_core.rules    1.6.2-2~ -- "$@"
 dpkg-maintscript-helper rm_conffile \
 	          /etc/nginx/naxsi-ui.conf.1.4.1 1.6.2-2~ -- "$@"
+dpkg-maintscript-helper rm_conffile \
+	          /etc/nginx/naxsi-ui.conf       1.6.2-2~ -- "$@"
 
 case "$1" in
   purge)
diff -Nru nginx-1.6.2/debian/nginx-common.preinst nginx-1.6.2/debian/nginx-common.preinst
--- nginx-1.6.2/debian/nginx-common.preinst	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/nginx-common.preinst	2014-11-30 11:05:49.000000000 +0200
@@ -8,6 +8,8 @@
 	  /etc/nginx/naxsi_core.rules    1.6.2-2~ -- "$@"
 dpkg-maintscript-helper rm_conffile \
 	  /etc/nginx/naxsi-ui.conf.1.4.1 1.6.2-2~ -- "$@"
+dpkg-maintscript-helper rm_conffile \
+	  /etc/nginx/naxsi-ui.conf       1.6.2-2~ -- "$@"
 
 case "$1" in
   install)
diff -Nru nginx-1.6.2/debian/README.Debian nginx-1.6.2/debian/README.Debian
--- nginx-1.6.2/debian/README.Debian	2014-10-19 08:24:13.000000000 +0300
+++ nginx-1.6.2/debian/README.Debian	2014-11-30 11:05:49.000000000 +0200
@@ -1,9 +1,50 @@
 README for Debian
 -----------------
 
-  Files under /var/www/ are not supported as per Debian Policy.
-  Please see: http://lintian.debian.org/tags/dir-or-file-in-var-www.html and,
-  http://www.pathname.com/fhs/pub/fhs-2.3.html#THEVARHIERARCHY for more
-  details and explanations.
 
- -- Kartik Mistry <kartik@debian.org>  Fri, 05 Mar 2010 13:31:15 +0530
+Noteworthy Changes Wheezy => Jessie
+===================================
+
+
+* Disabled sslv3 by default
+
+  After POODLE we followed suit and disabled SSLv3 by default.
+
+* /var/log/nginx permissions
+
+  /var/log/nginx/ is now not readable by default (www-data:adm 750),
+  If you depend on that you can add a manual override with dpkg-statoverride.
+
+* New upgrade & rotate initscript commands
+
+  You can now upgrade the nginx binary on the fly with /etc/init.d/nginx upgrade
+  (Read more on http://nginx.org/en/docs/control.html#upgrade)
+
+* Synced configuration files are with upstream
+
+  Unfortunately that might break existing configuration for some users, especially
+  fastcgi scripts. /usr/share/doc/nginx-common/NEWS.Debian.gz contains some
+  more information about the changes made.
+
+* Changed document root to /var/www/html
+
+  The default document root has now changed to /var/www/html/.
+
+* Added a snippets directory
+
+  A /etc/nginx/snippets has been added, it contains common configuration
+  stangas. For now we ship a snakeoil.conf (self-signed ssl) and a simple
+  fastcgi-php.conf.
+
+* Switched to graceful stop
+
+  Both systemd and the initscript's stop function try to graceful stop
+  nginx (SIGQUIT) before stopping it fast (SIGTERM). That allows nginx to
+  serve connected clients before shutting down.
+
+* Dropped nginx-naxsi
+
+  Packaging naxsi was not trivial and, unfortunately, none of the
+  maintainers uses it. That's the reason nginx-naxsi was not in a good
+  shape and we are not feeling comfortable to release and support it.
+

--- End Message ---
--- Begin Message --- 
On 2014-12-01 12:35, Christos Trochalakis wrote:

Control: tags -1 - moreinfo

On Sun, Nov 30, 2014 at 12:38:05PM +0100, Ivo De Decker wrote:
Please go ahead and remove the moreinfo tag from this bug once the upload to 
unstable is done.



Removing moreinfo tag as requested.


Unblocked.

Regards,

Adam

--- End Message ---
Reply to: