Hello,
I'm glad to announce a new release of NGINX JavaScript module (njs).
This release proceeds to extend the coverage of ECMAScript 5.1
specification.
- Added initial support for extending the existing prototypes. So,
generic functions can be added to extend functionality of built-in
types.
: > String.prototype.myUpper = function() {return this.toUpperCase()}
: [Function]
: > 'abc'.myUpper()
: 'ABC'
You can learn more about njs:
- Overview and introduction: http://nginx.org/en/docs/njs/
- Presentation: https://youtu.be/Jc_L6UffFOs
Feel free to try it and give us feedback on:
- Github: https://github.com/nginx/njs/issues
- Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel
Changes with njs 0.2.6 27 Nov 2018
Core:
*) Feature: making built-in prototypes mutable.
*) Feature: making global object mutable.
*) Feature: console.time() and console.timeEnd() methods.
*) Feature: allowing variables and functions to be redeclared.
*) Feature: extending Object.defineProperty() spec conformance.
*) Feature: introduced quiet mode for CLI to handle simple
expressions from stdin (echo "2**3" | njs -q -> 8).
*) Feature: introduced compact form of backtraces to handle stack
overflows.
*) Improvement: improved wording for various exceptions.
*) Bugfix: fixed closure values handling.
*) Bugfix: fixed equality operator for various value types.
*) Bugfix: fixed handling of "this" keyword in various scopes.
*) Bugfix: fixed handling non-object values in Object.keys().
*) Bugfix: fixed parsing of throw statement inside if statement.
*) Bugfix: fixed parsing of newline after throw statement.
*) Bugfix: fixed parsing of statements in if statement without
newline.
*) Bugfix: fixed size uint32_t overflow in njs_array_expand().
*) Bugfix: fixed typeof operator for object_value type.
*) Bugfix: miscellaneous additional bugs have been fixed.
Changes with nginx 1.15.7 27 Nov 2018
*) Feature: the "proxy_requests" directive in the stream module.
*) Feature: the "delay" parameter of the "limit_req" directive.
Thanks to Vladislav Shabanov and Peter Shchuchkin.
*) Bugfix: memory leak on errors during reconfiguration.
*) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
$upstream_header_time variables.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
--
Maxim Dounin
http://nginx.org/
Hello,
I'm glad to announce a new release of NGINX Unit.
This release primarily focuses on improvements in Node.js module compatibility;
thanks to our vibrant community, we made great progress here.
Please don't hesitate to report any problems to:
- Github: https://github.com/nginx/unit/issues
- Mailing list: https://mailman.nginx.org/mailman/listinfo/unit
If you have installed the "unit-http" module from npm, then don't forget to
update it besides Unit itself.
Detailed instructions for Node.js installation can be found here:
- http://unit.nginx.org/installation/#node-js-package
Changes with Unit 1.6 15 Nov 2018
*) Change: "make install" now installs Node.js module as well if it was
configured.
*) Feature: "--local" ./configure option to install Node.js module
locally.
*) Bugfix: Node.js module might have crashed due to broken reference
counting.
*) Bugfix: asynchronous operations in Node.js might not have worked.
*) Bugfix: various compatibility issues with Node.js applications.
*) Bugfix: "freed pointer is out of pool" alerts might have appeared in
log.
*) Bugfix: module discovery didn't work on 64-bit big-endian systems
like IBM/S390x.
wbr, Valentin V. Bartenev
Hello!
A security issue was identified in the ngx_http_mp4_module, which might
allow an attacker to cause infinite loop in a worker process, cause a
worker process crash, or might result in worker process memory
disclosure by using a specially crafted mp4 file (CVE-2018-16845).
The issue only affects nginx if it is built with the ngx_http_mp4_module
(the module is not built by default) and the "mp4" directive is used in
the configuration file. Further, the attack is only possible if an
attacker is able to trigger processing of a specially crafted mp4 file
with the ngx_http_mp4_module.
The issue affects nginx 1.1.3+, 1.0.7+.
The issue is fixed in 1.15.6, 1.14.1.
Patch for the issue can be found here:
http://nginx.org/download/patch.2018.mp4.txt
--
Maxim Dounin
http://nginx.org/
Hello!
Two security issues were identified in nginx HTTP/2 implementation,
which might cause excessive memory consumption (CVE-2018-16843)
and CPU usage (CVE-2018-16844).
The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive is
used in a configuration file.
The issues affect nginx 1.9.5 - 1.15.5.
The issues are fixed in nginx 1.15.6, 1.14.1.
Thanks to Gal Goldshtein from F5 Networks for initial report of the CPU
usage issue.
--
Maxim Dounin
http://nginx.org/
Changes with nginx 1.14.1 06 Nov 2018
*) Security: when using HTTP/2 a client might cause excessive memory
consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
*) Security: processing of a specially crafted mp4 file with the
ngx_http_mp4_module might result in worker process memory disclosure
(CVE-2018-16845).
*) Bugfix: working with gRPC backends might result in excessive memory
consumption.
--
Maxim Dounin
http://nginx.org/
Changes with nginx 1.15.6 06 Nov 2018
*) Security: when using HTTP/2 a client might cause excessive memory
consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
*) Security: processing of a specially crafted mp4 file with the
ngx_http_mp4_module might result in worker process memory disclosure
(CVE-2018-16845).
*) Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive",
"grpc_socket_keepalive", "memcached_socket_keepalive",
"scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.
*) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
1.1.1, the TLS 1.3 protocol was always enabled.
*) Bugfix: working with gRPC backends might result in excessive memory
consumption.
--
Maxim Dounin
http://nginx.org/