From mdounin at mdounin.ru Tue Jan 24 14:21:10 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 24 Jan 2017 17:21:10 +0300 Subject: [nginx-announce] nginx-1.11.9 Message-ID: <20170124142110.GD24349@mdounin.ru> Changes with nginx 1.11.9 24 Jan 2017 *) Bugfix: nginx might hog CPU when using the stream module; the bug had appeared in 1.11.5. *) Bugfix: EXTERNAL authentication mechanism in mail proxy was accepted even if it was not enabled in the configuration. *) Bugfix: a segmentation fault might occur in a worker process if the "ssl_verify_client" directive of the stream module was used. *) Bugfix: the "ssl_verify_client" directive of the stream module might not work. *) Bugfix: closing keepalive connections due to no free worker connections might be too aggressive. Thanks to Joel Cunningham. *) Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8. *) Bugfix: a truncated response might be stored in cache when using the "aio_write" directive. *) Bugfix: a socket leak might occur when using the "aio_write" directive. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jan 31 15:12:50 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 31 Jan 2017 18:12:50 +0300 Subject: [nginx-announce] nginx-1.10.3 Message-ID: <20170131151249.GG46625@mdounin.ru> Changes with nginx 1.10.3 31 Jan 2017 *) Bugfix: in the "add_after_body" directive when used with the "sub_filter" directive. *) Bugfix: unix domain listen sockets might not be inherited during binary upgrade on Linux. *) Bugfix: graceful shutdown of old worker processes might require infinite time when using HTTP/2. *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives client request body might be corrupted; the bug had appeared in 1.10.2. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.10.2. *) Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8. *) Bugfix: a truncated response might be stored in cache when using the "aio_write" directive. *) Bugfix: a socket leak might occur when using the "aio_write" directive. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Feb 14 15:52:22 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 14 Feb 2017 18:52:22 +0300 Subject: [nginx-announce] nginx-1.11.10 Message-ID: <20170214155222.GZ46625@mdounin.ru> Changes with nginx 1.11.10 14 Feb 2017 *) Change: cache header format has been changed, previously cached responses will be invalidated. *) Feature: support of "stale-while-revalidate" and "stale-if-error" extensions in the "Cache-Control" backend response header line. *) Feature: the "proxy_cache_background_update", "fastcgi_cache_background_update", "scgi_cache_background_update", and "uwsgi_cache_background_update" directives. *) Feature: nginx is now able to cache responses with the "Vary" header line up to 128 characters long (instead of 42 characters in previous versions). *) Feature: the "build" parameter of the "server_tokens" directive. Thanks to Tom Thorogood. *) Bugfix: "[crit] SSL_write() failed" messages might appear in logs when handling requests with the "Expect: 100-continue" request header line. *) Bugfix: the ngx_http_slice_module did not work in named locations. *) Bugfix: a segmentation fault might occur in a worker process when using AIO after an "X-Accel-Redirect" redirection. *) Bugfix: reduced memory consumption for long-lived requests using gzipping. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Mar 21 15:19:00 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 21 Mar 2017 18:19:00 +0300 Subject: [nginx-announce] nginx-1.11.11 Message-ID: <20170321151900.GI13617@mdounin.ru> Changes with nginx 1.11.11 21 Mar 2017 *) Feature: the "worker_shutdown_timeout" directive. *) Feature: vim syntax highlighting scripts improvements. Thanks to Wei-Ko Kao. *) Bugfix: a segmentation fault might occur in a worker process if the $limit_rate variable was set to an empty string. *) Bugfix: the "proxy_cache_background_update", "fastcgi_cache_background_update", "scgi_cache_background_update", and "uwsgi_cache_background_update" directives might work incorrectly if the "if" directive was used. *) Bugfix: a segmentation fault might occur in a worker process if number of large_client_header_buffers in a virtual server was different from the one in the default server. *) Bugfix: in the mail proxy server. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Fri Mar 24 15:19:03 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 24 Mar 2017 18:19:03 +0300 Subject: [nginx-announce] nginx-1.11.12 Message-ID: <20170324151903.GJ13617@mdounin.ru> Changes with nginx 1.11.12 24 Mar 2017 *) Bugfix: nginx might hog CPU; the bug had appeared in 1.11.11. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Apr 4 15:15:37 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 4 Apr 2017 18:15:37 +0300 Subject: [nginx-announce] nginx-1.11.13 Message-ID: <20170404151537.GI13617@mdounin.ru> Changes with nginx 1.11.13 04 Apr 2017 *) Feature: the "http_429" parameter of the "proxy_next_upstream", "fastcgi_next_upstream", "scgi_next_upstream", and "uwsgi_next_upstream" directives. Thanks to Piotr Sikora. *) Bugfix: in memory allocation error handling. *) Bugfix: requests might hang when using the "sendfile" and "timer_resolution" directives on Linux. *) Bugfix: requests might hang when using the "sendfile" and "aio_write" directives with subrequests. *) Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2. *) Bugfix: requests might hang when using the "limit_rate", "sendfile_max_chunk", "limit_req" directives, or the $r->sleep() embedded perl method with subrequests. *) Bugfix: in the ngx_http_slice_module. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Wed Apr 12 15:19:33 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Apr 2017 18:19:33 +0300 Subject: [nginx-announce] nginx-1.12.0 Message-ID: <20170412151933.GW13617@mdounin.ru> Changes with nginx 1.12.0 12 Apr 2017 *) 1.12.x stable branch. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Apr 25 14:32:41 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 25 Apr 2017 17:32:41 +0300 Subject: [nginx-announce] nginx-1.13.0 Message-ID: <20170425143241.GK43932@mdounin.ru> Changes with nginx 1.13.0 25 Apr 2017 *) Change: SSL renegotiation is now allowed on backend connections. *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen" directives of the mail proxy and stream modules. *) Feature: the "return" and "error_page" directives can now be used to return 308 redirections. Thanks to Simon Leblanc. *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive. *) Feature: when logging signals nginx now logs PID of the process which sent the signal. *) Bugfix: in memory allocation error handling. *) Bugfix: if a server in the stream module listened on a wildcard address, the source address of a response UDP datagram could differ from the original datagram destination address. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue May 30 15:12:08 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 30 May 2017 18:12:08 +0300 Subject: [nginx-announce] nginx-1.13.1 Message-ID: <20170530151208.GX55433@mdounin.ru> Changes with nginx 1.13.1 30 May 2017 *) Feature: now a hostname can be used as the "set_real_ip_from" directive parameter. *) Feature: vim syntax highlighting scripts improvements. *) Feature: the "worker_cpu_affinity" directive now works on DragonFly BSD. Thanks to Sepherosa Ziehau. *) Bugfix: SSL renegotiation on backend connections did not work when using OpenSSL before 1.1.0. *) Workaround: nginx could not be built with Oracle Developer Studio 12.5. *) Workaround: now cache manager ignores long locked cache entries when cleaning cache based on the "max_size" parameter. *) Bugfix: client SSL connections were immediately closed if deferred accept and the "proxy_protocol" parameter of the "listen" directive were used. *) Bugfix: in the "proxy_cache_background_update" directive. *) Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY option before an SSL handshake. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jun 27 15:04:22 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 27 Jun 2017 18:04:22 +0300 Subject: [nginx-announce] nginx-1.13.2 Message-ID: <20170627150422.GF55433@mdounin.ru> Changes with nginx 1.13.2 27 Jun 2017 *) Change: nginx now returns 200 instead of 416 when a range starting with 0 is requested from an empty file. *) Feature: the "add_trailer" directive. Thanks to Piotr Sikora. *) Bugfix: nginx could not be built on Cygwin and NetBSD; the bug had appeared in 1.13.0. *) Bugfix: nginx could not be built under MSYS2 / MinGW 64-bit. Thanks to Orgad Shaneh. *) Bugfix: a segmentation fault might occur in a worker process when using SSI with many includes and proxy_pass with variables. *) Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jul 11 15:46:28 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Jul 2017 18:46:28 +0300 Subject: [nginx-announce] nginx-1.13.3 Message-ID: <20170711154628.GY55433@mdounin.ru> Changes with nginx 1.13.3 11 Jul 2017 *) Security: a specially crafted request might result in an integer overflow and incorrect processing of ranges in the range filter, potentially resulting in sensitive information leak (CVE-2017-7529). -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jul 11 15:46:48 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Jul 2017 18:46:48 +0300 Subject: [nginx-announce] nginx-1.12.1 Message-ID: <20170711154648.GC55433@mdounin.ru> Changes with nginx 1.12.1 11 Jul 2017 *) Security: a specially crafted request might result in an integer overflow and incorrect processing of ranges in the range filter, potentially resulting in sensitive information leak (CVE-2017-7529). -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jul 11 15:48:23 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Jul 2017 18:48:23 +0300 Subject: [nginx-announce] nginx security advisory (CVE-2017-7529) Message-ID: <20170711154822.GG55433@mdounin.ru> Hello! A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). When using nginx with standard modules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations a cache file header may contain IP address of the backend server or other sensitive information. Besides, with 3rd party modules it is potentially possible that the issue may lead to a denial of service or a disclosure of a worker process memory. No such modules are currently known though. The issue affects nginx 0.5.6 - 1.13.2. The issue is fixed in nginx 1.13.3, 1.12.1. For older versions, the following configuration can be used as a temporary workaround: max_ranges 1; Patch for the issue can be found here: http://nginx.org/download/patch.2017.ranges.txt -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Aug 8 15:13:47 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 8 Aug 2017 18:13:47 +0300 Subject: [nginx-announce] nginx-1.13.4 Message-ID: <20170808151347.GP93611@mdounin.ru> Changes with nginx 1.13.4 08 Aug 2017 *) Feature: the ngx_http_mirror_module. *) Bugfix: client connections might be dropped during configuration testing when using the "reuseport" parameter of the "listen" directive on Linux. *) Bugfix: request body might not be available in subrequests if it was saved to a file and proxying was used. *) Bugfix: cleaning cache based on the "max_size" parameter did not work on Windows. *) Bugfix: any shared memory allocation required 4096 bytes on Windows. *) Bugfix: nginx worker might be terminated abnormally when using the "zone" directive inside the "upstream" block on Windows. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Sep 5 15:42:36 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 5 Sep 2017 18:42:36 +0300 Subject: [nginx-announce] nginx-1.13.5 Message-ID: <20170905154236.GR93611@mdounin.ru> Changes with nginx 1.13.5 05 Sep 2017 *) Feature: the $ssl_client_escaped_cert variable. *) Bugfix: the "ssl_session_ticket_key" directive and the "include" parameter of the "geo" directive did not work on Windows. *) Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges. *) Bugfix: the "expires modified" directive and processing of the "If-Range" request header line did not use the response last modification time if proxying without caching was used. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Oct 10 15:40:05 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 10 Oct 2017 18:40:05 +0300 Subject: [nginx-announce] nginx-1.13.6 Message-ID: <20171010154005.GN75166@mdounin.ru> Changes with nginx 1.13.6 10 Oct 2017 *) Bugfix: switching to the next upstream server in the stream module did not work when using the "ssl_preread" directive. *) Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora. *) Bugfix: nginx did not support dates after the year 2038 on 32-bit platforms with 64-bit time_t. *) Bugfix: in handling of dates prior to the year 1970 and after the year 10000. *) Bugfix: in the stream module timeouts waiting for UDP datagrams from upstream servers were not logged or logged at the "info" level instead of "error". *) Bugfix: when using HTTP/2 nginx might return the 400 response without logging the reason. *) Bugfix: in processing of corrupted cache files. *) Bugfix: cache control headers were ignored when caching errors intercepted by error_page. *) Bugfix: when using HTTP/2 client request body might be corrupted. *) Bugfix: in handling of client addresses when using unix domain sockets. *) Bugfix: nginx hogged CPU when using the "hash ... consistent" directive in the upstream block if large weights were used and all or most of the servers were unavailable. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Oct 17 13:35:04 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 17 Oct 2017 16:35:04 +0300 Subject: [nginx-announce] nginx-1.12.2 Message-ID: <20171017133504.GB26836@mdounin.ru> Changes with nginx 1.12.2 17 Oct 2017 *) Bugfix: client SSL connections were immediately closed if deferred accept and the "proxy_protocol" parameter of the "listen" directive were used. *) Bugfix: client connections might be dropped during configuration testing when using the "reuseport" parameter of the "listen" directive on Linux. *) Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges. *) Bugfix: switching to the next upstream server in the stream module did not work when using the "ssl_preread" directive. *) Bugfix: when using HTTP/2 client request body might be corrupted. *) Bugfix: in handling of client addresses when using unix domain sockets. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Nov 21 15:26:18 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 21 Nov 2017 18:26:18 +0300 Subject: [nginx-announce] nginx-1.13.7 Message-ID: <20171121152618.GR62893@mdounin.ru> Changes with nginx 1.13.7 21 Nov 2017 *) Bugfix: in the $upstream_status variable. *) Bugfix: a segmentation fault might occur in a worker process if a backend returned a "101 Switching Protocols" response to a subrequest. *) Bugfix: a segmentation fault occurred in a master process if a shared memory zone size was changed during a reconfiguration and the reconfiguration failed. *) Bugfix: in the ngx_http_fastcgi_module. *) Bugfix: nginx returned the 500 error if parameters without variables were specified in the "xslt_stylesheet" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using a zlib library variant from Intel. *) Bugfix: the "worker_shutdown_timeout" directive did not work when using mail proxy and when proxying WebSocket connections. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Dec 26 16:10:51 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 26 Dec 2017 19:10:51 +0300 Subject: [nginx-announce] nginx-1.13.8 Message-ID: <20171226161051.GE34136@mdounin.ru> Changes with nginx 1.13.8 26 Dec 2017 *) Feature: now nginx automatically preserves the CAP_NET_RAW capability in worker processes when using the "transparent" parameter of the "proxy_bind", "fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives. *) Feature: improved CPU cache line size detection. Thanks to Debayan Ghosh. *) Feature: new directives in vim syntax highlighting scripts. Thanks to Gena Makhomed. *) Bugfix: binary upgrade refused to work if nginx was re-parented to a process with PID different from 1 after its parent process has finished. *) Bugfix: the ngx_http_autoindex_module incorrectly handled requests with bodies. *) Bugfix: in the "proxy_limit_rate" directive when used with the "keepalive" directive. *) Bugfix: some parts of a response might be buffered when using "proxy_buffering off" if the client connection used SSL. Thanks to Patryk Lesiewicz. *) Bugfix: in the "proxy_cache_background_update" directive. *) Bugfix: it was not possible to start a parameter with a variable in the "${name}" form with the name in curly brackets without enclosing the parameter into single or double quotes. -- Maxim Dounin http://nginx.org/