What were you trying to do that didn't work?

In CentOS Stream, a non-modular nginx-1.22.1-2.el9 was released and is available in the public repos. There is a separate module stream for nginx:1.22, so I would expect that the default non-modular package would stay on version 1.20.x. This koji build was built from a commit outside of the c9s branch, so it seems like a mistake for it to be built and released for c9s.

Please provide the package NVR for which bug is seen:

nginx-1.22.1-2.el9

How reproducible:

always

Steps to reproduce

1. dnf install nginx

Expected results

installation of nginx 1.20

Actual results

installation of nginx 1.22

Additional info

I can see a newer non-modular nginx build for c9s of nginx-1.20.1-16.el9. This build includes a fix for CVE-2023-44487. It hasn't been released to the repos yet (which itself is disappointing since the CVE was fixed in RHEL a month and a half ago), but once it is CentOS Stream 9 users with nginx-1.22.1-2.el9 installed won't see it as an update and will remain vulnerable to that CVE. Assuming the intent is to keep the default package on version 1.20.x, this will require an epoch bump in order to fix the upgrade path.

This is also causing upgrade issue for users with nginx-mod-modsecurity or nginx-mod-vts installed from EPEL 9, as those have a dependency on nginx(abi) = 1.20.1 and will need to be rebuilt against nginx 1.22 if it remains the default non-modular version.