package nginx 1.27 has wrong version

[tgreat72]

Describe the bug

Hi, as the nginx 1.26 has several vulnerabilities I tried upgrade it to 1.27 as it is written in https://github.com/vmware/photon/wiki/Security-Update-5.0-307 . The package itseld is in the base repo but it is not installable because the OS states the the upgrade would really be a downgrade.

I think the difference (the missing 1: in the version) between the old package (1:1.26.0) and the new one (1.27.0) causes that the tdnf thinks it is a downgrade.

Reproduction steps

$ tdnf update

$tdnf info nginx
Name          : nginx
Arch          : x86_64
Epoch         : 1
Version       : 1.26.2
Release       : 4.ph5
Install Size  :   1.08M (1130889)
Repo          : @System

...

Name          : nginx
Arch          : x86_64
Epoch         : 0
Version       : 1.27.0
Release       : 1.ph5
Install Size  :   2.18M (2290145)
Download Size  : 812.95k (832464)
Repo          : photon

$ tdnf upgrade nginx
Nothing to do.
$ tdnf install nginx
Package nginx is already installed.

$ wget https://packages.vmware.com/photon/5.0/photon_5.0_x86_64/x86_64/nginx-1.27.0-1.ph5.x86_64.rpm

$ tdnf install nginx-1.27.0-1.ph5.x86_64.rpm 

Downgrading:
nginx                                      x86_64                          1.27.0-1.ph5                               @cmdline                          2.18M                             812.95k

Total installed size:   2.18M
Total download size: 812.95k
Is this ok [y/N]: y
Testing transaction
Running transaction
Installing/Updating: nginx-1.27.0-1.ph5.x86_64
Removing: nginx-1:1.26.2-4.ph5.x86_64

Expected behavior

The tdnf should update the package normally.

Additional context

No response

[dcasota]

Hi,

Could you give a step-by-step description? I'm asking because the update scenario isn't clear.

On master branch, the latest package is 1.27.1-3 .
On Ph5 branch, the latest package is 1.26.2-4 but with epoch 1.

On a fresh build and deployed photon-5.0-21b41f540.x86_64 vm, tdnf install nginx installs 1:1.26.2-4.ph5. A manual upgrade to 1.27.0-1 works and, as expected, tdnf update afterwards downgrades to 1:1.26.2-4.

On Ph5, the latest nginx security update https://github.com/vmware/photon/wiki/Security-Update-5.0-350 is for 1.26.2.
The patch for CVE-2025-23419 hasn't been implemented yet. This is included in 1.26.3.
Latest 1.27.4 includes a patch for CVE-2025-23419 as well.
Btw. a function which publishes successfully tested, newly generated and epoch-aware Ph[x] rpm packages from monitored patches and version updates of source packages is missing yet.

Afaik there is no "persistent update" as long as Ph5.0 is on 1.26.

[tgreat72]

I did the same steps like you and I see I coped wrong SU URL. :(

So I refer to https://github.com/vmware/photon/wiki/Security-Update-5.0-302.

Our security scanner claimed about 4 CVE's:
CVE-2024-31079
CVE-2024-32760
CVE-2024-34161
CVE-2024-35200

The SU page https://github.com/vmware/photon/wiki/Security-Update-5.0-302 suggests to update the nginx package to

nginx-1.27.0-1.ph5.x86_64.rpm | size : 816K , sha256 : a327df4b206f028262fa2afb7c67c3d474f05a04329bbb2a184c5276382c2c04 , build time : Mon, 24 Jun 2024 07:38:19 UTC

This is why I started to find this fixed version and found it in the ph5 base repo. Since I installed the package manually the scanner doesn't show the vulns anymore.

I thought the versioning causes the issue, but now I am fine with this workaround except I had to add the package name to /etc/tdnf/locks.d/pkgname.conf to exclude from updating and it might give operating issues later.

[oliverkurth]

We added the epoch 1 to prevent an update to 1.27, which was created in error.

* Tue Aug 13 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 1.26.2-1
- Downgrade version to v1.26.2
- Adding Epoch to consider v1.26.2 latest instead of v1.27.0
- nginx don't maintain stable branch for odd releases
- Fix CVE-2024-7347

So the fact that you were not able to upgrade to 1.27 was in fact intended.

[dcasota]

Hi @oliverkurth,

The question remains, how often do users like @tgreat72 need to use the fixed version, here nginx 1.27?
cve scanners sometimes have issues detecting if a patch has been applied.

Is the following distinction correct? I've assembled a few aspects to clarify why nginx 1.27 is in branch master, but actually not the very latest greatest version 1.27.4, and not in branch 5.0, and actually why 1.26.3 and/or cve patch CVE-2025-23419 hasn't been integrated.

Please, correct, and, thank you *****

• For Photon OS open-source, no available nightly builds of each uefi flavor per cpu architecture and destination
  (VVF/VCF incl. workstation/fusion, ami, azure, gce)
  Hence, there is no must to apply the technique of epochs on all PhotonOS'ified open-source pkgs.
  Hence, no offline bundles, but you can create and maintain your own offline repository infrastructure.
  No paid support, best effort.
  No AI bots for issue tracking/defecting, and no AI agents e.g. with interoperability to
  - Free Interactive Exploration: github.dev (GitHub’s in-browser editor)
  - Curated Overview: vmware.github.io/photon (GitHub Pages)
  - Raw Data: api.github.com/repos/vmware/photon (GitHub API)
  - Questionable status: uithub.com/vmware/photon
  - Not working yet: LLM-Friendly Text: gitingest.com/vmware/photon (third-party, reliable)
  - Enhancement idea, reasoning of detected patches from cve scanner scans.
• There is a core set of packages (~130 of ~1000 packages) which are crucial for the Photon OS platform and updated most regularly.
• Free security advisories, usually focus on cve severity >6.9.
• Free source provenance management
• branch master: biggest common factor per successfully tested Ph pkg from the latest greatest version
• branch common: biggest common factor per successfully tested Ph pkg from the latest stable version
• branch dev: successfully built latest stable / latest greatest pkgs, shareable for all sorts of testing
• branch 6.0: Buildable image using Linux kernel 6.6 LTS, branch sync with 5.0
• branch 5.0: Buildable image using Linux kernel 6.1 LTS, pkg management (pkg/release update/downgrade), stable version of pkgs
• branch 4.0: Buildable image using Linux kernel 5.10 LTS, pkg management (pkg/release update/downgrade), stable version of pkgs
• branch 3.0: Buildable image using Linux kernel 4.19 LTS (EOL), pkg management (pkg/release update/downgrade), stable version of pkgs

[tgreat72]

We added the epoch 1 to prevent an update to 1.27, which was created in error.

* Tue Aug 13 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 1.26.2-1
- Downgrade version to v1.26.2
- Adding Epoch to consider v1.26.2 latest instead of v1.27.0
- nginx don't maintain stable branch for odd releases
- Fix CVE-2024-7347

So the fact that you were not able to upgrade to 1.27 was in fact intended.

Ok, I understand this, but in this case you should remove this advise from the "Security Update 5.0 302" wiki page:

Solution

Update the affected packages (tdnf update package)

Updated Packages Information
nginx-1.27.0-1.ph5.x86_64.rpm | size : 816K , sha256 : a327df4b206f028262fa2afb7c67c3d474f05a04329bbb2a184c5276382c2c04 , >build time : Mon, 24 Jun 2024 07:38:19 UTC

@dcasota thank you for your understanding!