Nginx 1.16 from the EPEL repo - Qualys Vulnerability scan reporting as EOL

Hello

We have installed on a few of our RHEL7 servers nginx 1.16 from the EPEL repo .

Qualys security scans are flagging this version as End of Life.

I know this version is still being backported with security updates.

Is there any documentation that states Fedora is still supporting the 1.16 version of nginx or what their intentions are for the timeframe of support for 1.16?

Any help is appreciated.

Thank you

2 Likes

Hi @aod79: welcome to the forum, please take a look at the posts in the #start-here category if you’ve not had a chance yet.

Can you please clarify what OS you are using? If it’s RHEL, I’m afraid you’ll have to use different channels to ask the EPEL package maintainers. Packages in Fedora and RHEL do not necessarily have the same versions or life cycles----Fedora moves much quicker generally. They may not even share the same maintainers.

As you can see here, none of the current Fedora releases support 1.16—they’re all on 1.18:

Overview - rpms/nginx - src.fedoraproject.org

You can communicate with the EPEL SIG here:

@FranciscoD Thank you.

We are using RHEL 7.9 and the packages come from the Fedora EPEL 7 repo where nginx-1.16.1-2.el7 is the latest version.

OK, that makes sense. It’s best to contact the EPEL SIG on their own channels as listed in the wiki link above.

There currently is an update of nginx-1.16.1-3.el7 in the testing repository (rebuild of 1.16 against openssl 1.1 to support TLSv1.3), so for now at least, 1.16 support is alive and well in EPEL7.

Best way to get in touch with the EPEL people is usually on IRC at epel.

1 Like