From mdounin at mdounin.ru Thu Jan 10 13:37:12 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 10 Jan 2013 17:37:12 +0400 Subject: [nginx-announce] nginx-1.3.11 Message-ID: <20130110133712.GK80623@mdounin.ru> Changes with nginx 1.3.11 10 Jan 2013 *) Bugfix: a segmentation fault might occur if logging was used; the bug had appeared in 1.3.10. *) Bugfix: the "proxy_pass" directive did not work with IP addresses without port specified; the bug had appeared in 1.3.10. *) Bugfix: a segmentation fault occurred on start or during reconfiguration if the "keepalive" directive was specified more than once in a single upstream block. *) Bugfix: parameter "default" of the "geo" directive did not set default value for IPv6 addresses. -- Maxim Dounin http://nginx.com/support.html From mdounin at mdounin.ru Tue Feb 5 14:22:36 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 5 Feb 2013 18:22:36 +0400 Subject: [nginx-announce] nginx-1.3.12 Message-ID: <20130205142236.GZ40753@mdounin.ru> Changes with nginx 1.3.12 05 Feb 2013 *) Feature: variables support in the "proxy_bind", "fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives. *) Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the "log_format" directive. Thanks to Kiril Kalchev. *) Feature: IPv6 support in the ngx_http_geoip_module. Thanks to Gregor Kali?nik. *) Bugfix: in the "proxy_method" directive. *) Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method. *) Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used. *) Bugfix: the "[crit] SSL_write() failed (SSL:)" error. *) Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9. *) Bugfix: in the "fastcgi_keep_conn" directive. -- Maxim Dounin http://nginx.com/support.html From mdounin at mdounin.ru Tue Feb 12 13:57:34 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 12 Feb 2013 17:57:34 +0400 Subject: [nginx-announce] nginx-1.2.7 Message-ID: <20130212135734.GH20890@mdounin.ru> Changes with nginx 1.2.7 12 Feb 2013 *) Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order. *) Change: the "add_header" directive adds headers to 201 responses. *) Feature: the "geo" directive now supports IPv6 addresses in CIDR notation. *) Feature: the "flush" and "gzip" parameters of the "access_log" directive. *) Feature: variables support in the "auth_basic" directive. *) Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the "log_format" directive. Thanks to Kiril Kalchev. *) Feature: IPv6 support in the ngx_http_geoip_module. Thanks to Gregor Kali?nik. *) Bugfix: nginx could not be built with the ngx_http_perl_module in some cases. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_xslt_module was used. *) Bugfix: nginx could not be built on MacOSX in some cases. Thanks to Piotr Sikora. *) Bugfix: the "limit_rate" directive with high rates might result in truncated responses on 32-bit platforms. Thanks to Alexey Antropov. *) Bugfix: a segmentation fault might occur in a worker process if the "if" directive was used. Thanks to Piotr Sikora. *) Bugfix: a "100 Continue" response was issued with "413 Request Entity Too Large" responses. *) Bugfix: the "image_filter", "image_filter_jpeg_quality" and "image_filter_sharpen" directives might be inherited incorrectly. Thanks to Ian Babrou. *) Bugfix: "crypt_r() failed" errors might appear if the "auth_basic" directive was used on Linux. *) Bugfix: in backup servers handling. Thanks to Thomas Chen. *) Bugfix: proxied HEAD requests might return incorrect response if the "gzip" directive was used. *) Bugfix: a segmentation fault occurred on start or during reconfiguration if the "keepalive" directive was specified more than once in a single upstream block. *) Bugfix: in the "proxy_method" directive. *) Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method. *) Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used. *) Bugfix: the "[crit] SSL_write() failed (SSL:)" error. *) Bugfix: in the "fastcgi_keep_conn" directive. -- Maxim Dounin http://nginx.com/support.html From mdounin at mdounin.ru Tue Feb 19 15:29:12 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Feb 2013 19:29:12 +0400 Subject: [nginx-announce] nginx-1.3.13 Message-ID: <20130219152912.GP81985@mdounin.ru> Changes with nginx 1.3.13 19 Feb 2013 *) Change: a compiler with name "cc" is now used by default. *) Feature: support for proxying of WebSocket connections. Thanks to Apcera and CloudBees for sponsoring this work. *) Feature: the "auth_basic_user_file" directive supports "{SHA}" password encryption method. Thanks to Louis Opter. -- Maxim Dounin http://nginx.com/support.html From mdounin at mdounin.ru Tue Mar 5 14:55:59 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 5 Mar 2013 18:55:59 +0400 Subject: [nginx-announce] nginx-1.3.14 Message-ID: <20130305145559.GC15378@mdounin.ru> Changes with nginx 1.3.14 05 Mar 2013 *) Feature: $connections_active, $connections_reading, and $connections_writing variables in the ngx_http_stub_status_module. *) Feature: support of WebSocket connections in the ngx_http_uwsgi_module and ngx_http_scgi_module. *) Bugfix: in virtual servers handling with SNI. *) Bugfix: new sessions were not always stored if the "ssl_session_cache shared" directive was used and there was no free space in shared memory. Thanks to Piotr Sikora. *) Bugfix: multiple X-Forwarded-For headers were handled incorrectly. Thanks to Neal Poole for sponsoring this work. *) Bugfix: in the ngx_http_mp4_module. Thanks to Gernot Vormayr. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Mar 26 13:29:55 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 26 Mar 2013 17:29:55 +0400 Subject: [nginx-announce] nginx-1.3.15 Message-ID: <20130326132955.GP62550@mdounin.ru> Changes with nginx 1.3.15 26 Mar 2013 *) Change: opening and closing a connection without sending any data in it is no longer logged to access_log with error code 400. *) Feature: the ngx_http_spdy_module. Thanks to Automattic for sponsoring this work. *) Feature: the "limit_req_status" and "limit_conn_status" directives. Thanks to Nick Marden. *) Feature: the "image_filter_interlace" directive. Thanks to Ian Babrou. *) Feature: $connections_waiting variable in the ngx_http_stub_status_module. *) Feature: the mail proxy module now supports IPv6 backends. *) Bugfix: request body might be transmitted incorrectly when retrying a request to the next upstream server; the bug had appeared in 1.3.9. Thanks to Piotr Sikora. *) Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9. *) Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing. Thanks to Lanshun Zhou. *) Bugfix: in backend usage accounting. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Apr 2 12:54:07 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 2 Apr 2013 16:54:07 +0400 Subject: [nginx-announce] nginx-1.2.8 Message-ID: <20130402125407.GO62550@mdounin.ru> Changes with nginx 1.2.8 02 Apr 2013 *) Bugfix: new sessions were not always stored if the "ssl_session_cache shared" directive was used and there was no free space in shared memory. Thanks to Piotr Sikora. *) Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing. Thanks to Lanshun Zhou. *) Bugfix: in the ngx_http_mp4_module. Thanks to Gernot Vormayr. *) Bugfix: in backend usage accounting. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Apr 16 14:21:15 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 16 Apr 2013 18:21:15 +0400 Subject: [nginx-announce] nginx-1.3.16 Message-ID: <20130416142115.GZ92338@mdounin.ru> Changes with nginx 1.3.16 16 Apr 2013 *) Bugfix: a segmentation fault might occur in a worker process if subrequests were used; the bug had appeared in 1.3.9. *) Bugfix: the "tcp_nodelay" directive caused an error if a WebSocket connection was proxied into a unix domain socket. *) Bugfix: the $upstream_response_length variable has an incorrect value "0" if buffering was not used. Thanks to Piotr Sikora. *) Bugfix: in the eventport and /dev/poll methods. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Wed Apr 24 14:19:49 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 24 Apr 2013 18:19:49 +0400 Subject: [nginx-announce] nginx-1.4.0 Message-ID: <20130424141949.GK10443@mdounin.ru> Changes with nginx 1.4.0 24 Apr 2013 *) Bugfix: nginx could not be built with the ngx_http_perl_module if the --with-openssl option was used; the bug had appeared in 1.3.16. *) Bugfix: in a request body handling in the ngx_http_perl_module; the bug had appeared in 1.3.9. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue May 7 11:29:21 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 May 2013 15:29:21 +0400 Subject: [nginx-announce] nginx-1.5.0 Message-ID: <20130507112921.GA69760@mdounin.ru> Changes with nginx 1.5.0 07 May 2013 *) Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue May 7 11:29:53 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 May 2013 15:29:53 +0400 Subject: [nginx-announce] nginx-1.4.1 Message-ID: <20130507112953.GE69760@mdounin.ru> Changes with nginx 1.4.1 07 May 2013 *) Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue May 7 11:30:26 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 May 2013 15:30:26 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2013-2028) Message-ID: <20130507113026.GI69760@mdounin.ru> Hello! Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028). The problem affects nginx 1.3.9 - 1.4.0. The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Mon May 13 11:32:51 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 May 2013 15:32:51 +0400 Subject: [nginx-announce] nginx-1.2.9 Message-ID: <20130513113251.GJ69760@mdounin.ru> Changes with nginx 1.2.9 13 May 2013 *) Security: contents of worker process memory might be sent to a client if HTTP backend returned specially crafted response (CVE-2013-2070); the bug had appeared in 1.1.4. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Mon May 13 11:33:36 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 May 2013 15:33:36 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2013-2070) Message-ID: <20130513113336.GN69760@mdounin.ru> Hello! A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0. The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9 was released to address the issue in the 1.2.x legacy branch. Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028: http://nginx.org/download/patch.2013.chunked.txt Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8) can be found here: http://nginx.org/download/patch.2013.proxy.txt -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Jun 4 13:42:51 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 4 Jun 2013 17:42:51 +0400 Subject: [nginx-announce] nginx-1.5.1 Message-ID: <20130604134251.GU72282@mdounin.ru> Changes with nginx 1.5.1 04 Jun 2013 *) Feature: the "ssi_last_modified", "sub_filter_last_modified", and "xslt_last_modified" directives. Thanks to Alexey Kolpakov. *) Feature: the "http_403" parameter of the "proxy_next_upstream", "fastcgi_next_upstream", "scgi_next_upstream", and "uwsgi_next_upstream" directives. *) Feature: the "allow" and "deny" directives now support unix domain sockets. *) Bugfix: nginx could not be built with the ngx_mail_ssl_module, but without ngx_http_ssl_module; the bug had appeared in 1.3.14. *) Bugfix: in the "proxy_set_body" directive. Thanks to Lanshun Zhou. *) Bugfix: in the "lingering_time" directive. Thanks to Lanshun Zhou. *) Bugfix: the "fail_timeout" parameter of the "server" directive in the "upstream" context might not work if "max_fails" parameter was used; the bug had appeared in 1.3.0. *) Bugfix: a segmentation fault might occur in a worker process if the "ssl_stapling" directive was used. Thanks to Piotr Sikora. *) Bugfix: in the mail proxy server. Thanks to Filipe Da Silva. *) Bugfix: nginx/Windows might stop accepting connections if several worker processes were used. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Jul 2 13:34:31 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 2 Jul 2013 17:34:31 +0400 Subject: [nginx-announce] nginx-1.5.2 Message-ID: <20130702133431.GE20717@mdounin.ru> Changes with nginx 1.5.2 02 Jul 2013 *) Feature: now several "error_log" directives can be used. *) Bugfix: the $r->header_in() embedded perl method did not return value of the "Cookie" and "X-Forwarded-For" request header lines; the bug had appeared in 1.3.14. *) Bugfix: in the ngx_http_spdy_module. Thanks to Jim Radford. *) Bugfix: nginx could not be built on Linux with x32 ABI. Thanks to Serguei Ivantsov. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Wed Jul 17 13:30:16 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 17 Jul 2013 17:30:16 +0400 Subject: [nginx-announce] nginx-1.4.2 Message-ID: <20130717133016.GD49108@mdounin.ru> Changes with nginx 1.4.2 17 Jul 2013 *) Bugfix: the $r->header_in() embedded perl method did not return value of the "Cookie" and "X-Forwarded-For" request header lines; the bug had appeared in 1.3.14. *) Bugfix: nginx could not be built with the ngx_mail_ssl_module, but without ngx_http_ssl_module; the bug had appeared in 1.3.14. *) Bugfix: in the "proxy_set_body" directive. Thanks to Lanshun Zhou. *) Bugfix: the "fail_timeout" parameter of the "server" directive in the "upstream" context might not work if "max_fails" parameter was used; the bug had appeared in 1.3.0. *) Bugfix: a segmentation fault might occur in a worker process if the "ssl_stapling" directive was used. Thanks to Piotr Sikora. *) Bugfix: nginx/Windows might stop accepting connections if several worker processes were used. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Jul 30 13:41:15 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 30 Jul 2013 17:41:15 +0400 Subject: [nginx-announce] nginx-1.5.3 Message-ID: <20130730134115.GJ2130@mdounin.ru> Changes with nginx 1.5.3 30 Jul 2013 *) Change in internal API: now u->length defaults to -1 if working with backends in unbuffered mode. *) Change: now after receiving an incomplete response from a backend server nginx tries to send an available part of the response to a client, and then closes client connection. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used with the "client_body_in_file_only" directive. *) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFlyBSD. Thanks to Sepherosa Ziehau. *) Bugfix: in the ngx_http_xslt_filter_module. *) Bugfix: in the ngx_http_sub_filter_module. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Aug 27 14:06:12 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 27 Aug 2013 18:06:12 +0400 Subject: [nginx-announce] nginx-1.5.4 Message-ID: <20130827140612.GX19334@mdounin.ru> Changes with nginx 1.5.4 27 Aug 2013 *) Change: the "js" extension MIME type has been changed to "application/javascript"; default value of the "charset_types" directive was changed accordingly. *) Change: now the "image_filter" directive with the "size" parameter returns responses with the "application/json" MIME type. *) Feature: the ngx_http_auth_request_module. *) Bugfix: a segmentation fault might occur on start or during reconfiguration if the "try_files" directive was used with an empty parameter. *) Bugfix: memory leak if relative paths were specified using variables in the "root" or "auth_basic_user_file" directives. *) Bugfix: the "valid_referers" directive incorrectly executed regular expressions if a "Referer" header started with "https://". Thanks to Liangbin Li. *) Bugfix: responses might hang if subrequests were used and an SSL handshake error happened during subrequest processing. Thanks to Aviram Cohen. *) Bugfix: in the ngx_http_autoindex_module. *) Bugfix: in the ngx_http_spdy_module. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Sep 17 13:43:38 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 17 Sep 2013 17:43:38 +0400 Subject: [nginx-announce] nginx-1.5.5 Message-ID: <20130917134338.GV57081@mdounin.ru> Changes with nginx 1.5.5 17 Sep 2013 *) Change: now nginx assumes HTTP/1.0 by default if it is not able to detect protocol reliably. *) Feature: the "disable_symlinks" directive now uses O_PATH on Linux. *) Feature: now nginx uses EPOLLRDHUP events to detect premature connection close by clients if the "epoll" method is used. *) Bugfix: in the "valid_referers" directive if the "server_names" parameter was used. *) Bugfix: the $request_time variable did not work in nginx/Windows. *) Bugfix: in the "image_filter" directive. Thanks to Lanshun Zhou. *) Bugfix: OpenSSL 1.0.1f compatibility. Thanks to Piotr Sikora. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Oct 1 13:59:57 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 1 Oct 2013 17:59:57 +0400 Subject: [nginx-announce] nginx-1.5.6 Message-ID: <20131001135957.GG62063@mdounin.ru> Changes with nginx 1.5.6 01 Oct 2013 *) Feature: the "fastcgi_buffering" directive. *) Feature: the "proxy_ssl_protocols" and "proxy_ssl_ciphers" directives. Thanks to Piotr Sikora. *) Feature: optimization of SSL handshakes when using long certificate chains. *) Feature: the mail proxy supports SMTP pipelining. *) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$" password encryption method. Thanks to Markus Linnala. *) Bugfix: in MacOSX, Cygwin, and nginx/Windows incorrect location might be used to process a request if locations were given using characters in different cases. *) Bugfix: automatic redirect with appended trailing slash for proxied locations might not work. *) Bugfix: in the mail proxy server. *) Bugfix: in the ngx_http_spdy_module. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Oct 8 13:42:21 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 8 Oct 2013 17:42:21 +0400 Subject: [nginx-announce] nginx-1.4.3 Message-ID: <20131008134221.GN76294@mdounin.ru> Changes with nginx 1.4.3 08 Oct 2013 *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used with the "client_body_in_file_only" directive. *) Bugfix: a segmentation fault might occur on start or during reconfiguration if the "try_files" directive was used with an empty parameter. *) Bugfix: the $request_time variable did not work in nginx/Windows. *) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$" password encryption method. Thanks to Markus Linnala. *) Bugfix: in the ngx_http_autoindex_module. *) Bugfix: in the mail proxy server. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Nov 19 15:00:42 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Nov 2013 19:00:42 +0400 Subject: [nginx-announce] nginx-1.5.7 Message-ID: <20131119150042.GE41579@mdounin.ru> Changes with nginx 1.5.7 19 Nov 2013 *) Security: a character following an unescaped space in a request line was handled incorrectly (CVE-2013-4547); the bug had appeared in 0.8.41. Thanks to Ivan Fratric of the Google Security Team. *) Change: a logging level of auth_basic errors about no user/password provided has been lowered from "error" to "info". *) Feature: the "proxy_cache_revalidate", "fastcgi_cache_revalidate", "scgi_cache_revalidate", and "uwsgi_cache_revalidate" directives. *) Feature: the "ssl_session_ticket_key" directive. Thanks to Piotr Sikora. *) Bugfix: the directive "add_header Cache-Control ''" added a "Cache-Control" response header line with an empty value. *) Bugfix: the "satisfy any" directive might return 403 error instead of 401 if auth_request and auth_basic directives were used. Thanks to Jan Marc Hoffmann. *) Bugfix: the "accept_filter" and "deferred" parameters of the "listen" directive were ignored for listen sockets created during binary upgrade. Thanks to Piotr Sikora. *) Bugfix: some data received from a backend with unbufferred proxy might not be sent to a client immediately if "gzip" or "gunzip" directives were used. Thanks to Yichun Zhang. *) Bugfix: in error handling in ngx_http_gunzip_filter_module. *) Bugfix: responses might hang if the ngx_http_spdy_module was used with the "auth_request" directive. *) Bugfix: memory leak in nginx/Windows. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Nov 19 15:01:06 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Nov 2013 19:01:06 +0400 Subject: [nginx-announce] nginx-1.4.4 Message-ID: <20131119150106.GI41579@mdounin.ru> Changes with nginx 1.4.4 19 Nov 2013 *) Security: a character following an unescaped space in a request line was handled incorrectly (CVE-2013-4547); the bug had appeared in 0.8.41. Thanks to Ivan Fratric of the Google Security Team. -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Nov 19 15:02:26 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Nov 2013 19:02:26 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2013-4547) Message-ID: <20131119150226.GM41579@mdounin.ru> Hello! Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547). Some checks on a request URI were not executed on a character following an unescaped space character (which is invalid per HTTP protocol, but allowed for compatibility reasons since nginx 0.8.41). One of the results is that it was possible to bypass security restrictions like location /protected/ { deny all; } by requesting a file as "/foo /../protected/file" (in case of static files, only if there is a "foo " directory with a trailing space), or to trigger processing of a file with a trailing space in a configuration like location ~ \.php$ { fastcgi_pass ... } by requesting a file as "/file \0.php". The problem affects nginx 0.8.41 - 1.5.6. The problem is fixed in nginx 1.5.7, 1.4.4. Patch for the problem can be found here: http://nginx.org/download/patch.2013.space.txt As a temporary workaround the following configuration can be used in each server{} block: if ($request_uri ~ " ") { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html From mdounin at mdounin.ru Tue Dec 17 14:08:00 2013 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 17 Dec 2013 18:08:00 +0400 Subject: [nginx-announce] nginx-1.5.8 Message-ID: <20131217140800.GR95113@mdounin.ru> Changes with nginx 1.5.8 17 Dec 2013 *) Feature: IPv6 support in resolver. *) Feature: the "listen" directive supports the "fastopen" parameter. Thanks to Mathew Rodley. *) Feature: SSL support in the ngx_http_uwsgi_module. Thanks to Roberto De Ioris. *) Feature: vim syntax highlighting scripts were added to contrib. Thanks to Evan Miller. *) Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding. *) Bugfix: the "master_process" directive did not work correctly in nginx/Windows. *) Bugfix: the "setfib" parameter of the "listen" directive might not work. *) Bugfix: in the ngx_http_spdy_module. -- Maxim Dounin http://nginx.org/en/donation.html