photon icon indicating copy to clipboard operation
photon copied to clipboard
verified publisher icon vmware

package nginx 1.27 has wrong version

Open tgreat72 opened this issue 9 months ago • 5 comments

Describe the bug

Hi, as the nginx 1.26 has several vulnerabilities I tried upgrade it to 1.27 as it is written in https://github.com/vmware/photon/wiki/Security-Update-5.0-307 . The package itseld is in the base repo but it is not installable because the OS states the the upgrade would really be a downgrade.

I think the difference (the missing 1: in the version) between the old package (1:1.26.0) and the new one (1.27.0) causes that the tdnf thinks it is a downgrade.

Reproduction steps

$ tdnf update

$tdnf info nginx
Name          : nginx
Arch          : x86_64
Epoch         : 1
Version       : 1.26.2
Release       : 4.ph5
Install Size  :   1.08M (1130889)
Repo          : @System

...

Name          : nginx
Arch          : x86_64
Epoch         : 0
Version       : 1.27.0
Release       : 1.ph5
Install Size  :   2.18M (2290145)
Download Size  : 812.95k (832464)
Repo          : photon

$ tdnf upgrade nginx
Nothing to do.
$ tdnf install nginx
Package nginx is already installed.

$ wget https://packages.vmware.com/photon/5.0/photon_5.0_x86_64/x86_64/nginx-1.27.0-1.ph5.x86_64.rpm

$ tdnf install nginx-1.27.0-1.ph5.x86_64.rpm 

Downgrading:
nginx                                      x86_64                          1.27.0-1.ph5                               @cmdline                          2.18M                             812.95k

Total installed size:   2.18M
Total download size: 812.95k
Is this ok [y/N]: y
Testing transaction
Running transaction
Installing/Updating: nginx-1.27.0-1.ph5.x86_64
Removing: nginx-1:1.26.2-4.ph5.x86_64

Expected behavior

The tdnf should update the package normally.

Additional context

No response

tgreat72 avatar Mar 13 '25 11:03 tgreat72

Hi,

Could you give a step-by-step description? I'm asking because the update scenario isn't clear.

On master branch, the latest package is 1.27.1-3 . On Ph5 branch, the latest package is 1.26.2-4 but with epoch 1.

On a fresh build and deployed photon-5.0-21b41f540.x86_64 vm, tdnf install nginx installs 1:1.26.2-4.ph5. A manual upgrade to 1.27.0-1 works and, as expected, tdnf update afterwards downgrades to 1:1.26.2-4.

Image

Image

On Ph5, the latest nginx security update https://github.com/vmware/photon/wiki/Security-Update-5.0-350 is for 1.26.2. The patch for CVE-2025-23419 hasn't been implemented yet. This is included in 1.26.3. Latest 1.27.4 includes a patch for CVE-2025-23419 as well. Btw. a function which publishes successfully tested, newly generated and epoch-aware Ph[x] rpm packages from monitored patches and version updates of source packages is missing yet.

Afaik there is no "persistent update" as long as Ph5.0 is on 1.26.

dcasota avatar Mar 13 '25 13:03 dcasota

I did the same steps like you and I see I coped wrong SU URL. :(

So I refer to https://github.com/vmware/photon/wiki/Security-Update-5.0-302.

Our security scanner claimed about 4 CVE's: CVE-2024-31079 CVE-2024-32760 CVE-2024-34161 CVE-2024-35200

The SU page https://github.com/vmware/photon/wiki/Security-Update-5.0-302 suggests to update the nginx package to

nginx-1.27.0-1.ph5.x86_64.rpm | size : 816K , sha256 : a327df4b206f028262fa2afb7c67c3d474f05a04329bbb2a184c5276382c2c04 , build time : Mon, 24 Jun 2024 07:38:19 UTC

This is why I started to find this fixed version and found it in the ph5 base repo. Since I installed the package manually the scanner doesn't show the vulns anymore.

I thought the versioning causes the issue, but now I am fine with this workaround except I had to add the package name to /etc/tdnf/locks.d/pkgname.conf to exclude from updating and it might give operating issues later.

tgreat72 avatar Mar 13 '25 14:03 tgreat72

We added the epoch 1 to prevent an update to 1.27, which was created in error.

* Tue Aug 13 2024 Nitesh Kumar <[email protected]> 1.26.2-1
- Downgrade version to v1.26.2
- Adding Epoch to consider v1.26.2 latest instead of v1.27.0
- nginx don't maintain stable branch for odd releases
- Fix CVE-2024-7347

So the fact that you were not able to upgrade to 1.27 was in fact intended.

oliverkurth avatar Mar 14 '25 00:03 oliverkurth

Hi @oliverkurth,

The question remains, how often do users like @tgreat72 need to use the fixed version, here nginx 1.27? cve scanners sometimes have issues detecting if a patch has been applied.

Is the following distinction correct? I've assembled a few aspects to clarify why nginx 1.27 is in branch master, but actually not the very latest greatest version 1.27.4, and not in branch 5.0, and actually why 1.26.3 and/or cve patch CVE-2025-23419 hasn't been integrated.

Please, correct, and, thank you *****

  • For Photon OS open-source, no available nightly builds of each uefi flavor per cpu architecture and destination (VVF/VCF incl. workstation/fusion, ami, azure, gce) Hence, there is no must to apply the technique of epochs on all PhotonOS'ified open-source pkgs. Hence, no offline bundles, but you can create and maintain your own offline repository infrastructure. No paid support, best effort. No AI bots for issue tracking/defecting, and no AI agents e.g. with interoperability to - Free Interactive Exploration: github.dev (GitHub’s in-browser editor) - Curated Overview: vmware.github.io/photon (GitHub Pages) - Raw Data: api.github.com/repos/vmware/photon (GitHub API) - Questionable status: uithub.com/vmware/photon - Not working yet: LLM-Friendly Text: gitingest.com/vmware/photon (third-party, reliable) - Enhancement idea, reasoning of detected patches from cve scanner scans.
  • There is a core set of packages (~130 of ~1000 packages) which are crucial for the Photon OS platform and updated most regularly.
  • Free security advisories, usually focus on cve severity >6.9.
  • Free source provenance management
  • branch master: biggest common factor per successfully tested Ph pkg from the latest greatest version
  • branch common: biggest common factor per successfully tested Ph pkg from the latest stable version
  • branch dev: successfully built latest stable / latest greatest pkgs, shareable for all sorts of testing
  • branch 6.0: Buildable image using Linux kernel 6.6 LTS, branch sync with 5.0
  • branch 5.0: Buildable image using Linux kernel 6.1 LTS, pkg management (pkg/release update/downgrade), stable version of pkgs
  • branch 4.0: Buildable image using Linux kernel 5.10 LTS, pkg management (pkg/release update/downgrade), stable version of pkgs
  • branch 3.0: Buildable image using Linux kernel 4.19 LTS (EOL), pkg management (pkg/release update/downgrade), stable version of pkgs

dcasota avatar Mar 14 '25 08:03 dcasota

We added the epoch 1 to prevent an update to 1.27, which was created in error.

* Tue Aug 13 2024 Nitesh Kumar <[email protected]> 1.26.2-1
- Downgrade version to v1.26.2
- Adding Epoch to consider v1.26.2 latest instead of v1.27.0
- nginx don't maintain stable branch for odd releases
- Fix CVE-2024-7347

So the fact that you were not able to upgrade to 1.27 was in fact intended.

Ok, I understand this, but in this case you should remove this advise from the "Security Update 5.0 302" wiki page:

Solution

Update the affected packages (tdnf update package)

Updated Packages Information nginx-1.27.0-1.ph5.x86_64.rpm | size : 816K , sha256 : a327df4b206f028262fa2afb7c67c3d474f05a04329bbb2a184c5276382c2c04 , >build time : Mon, 24 Jun 2024 07:38:19 UTC

@dcasota thank you for your understanding!

tgreat72 avatar Mar 14 '25 10:03 tgreat72