From xeioex at nginx.com Wed Feb 7 23:18:08 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 7 Feb 2024 15:18:08 -0800 Subject: [nginx-announce] njs-0.8.3 Message-ID: <63f4277a-fe47-490c-9095-78c05bbde9a4@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on stabilization of recently released features and fixing bugs found by various fuzzers. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues - Mailing list:       https://mailman.nginx.org/mailman/listinfo/nginx-devel Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.3                                       07 Feb 2024     nginx modules:     *) Bugfix: fixed Headers.set().     *) Bugfix: fixed js_set with Buffer values.     *) Bugfix: fixed clear() method of a shared dictionary when        timeout is not specified.     *) Bugfix: fixed stub_status statistic when js_periodic is        enabled.     Core:     *) Bugfix: fixed building with libxml2 2.12 and later.     *) Bugfix: fixed Date constructor for overflows and with        NaN values.     *) Bugfix: fixed underflow in querystring.parse().     *) Bugfix: fixed potential buffer overread in        String.prototype.match().     *) Bugfix: fixed parsing of for-in loops.     *) Bugfix: fixed parsing of hexadecimal, octal, and binary        literals with no digits. From pluknet at nginx.com Wed Feb 14 16:59:24 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Feb 2024 20:59:24 +0400 Subject: [nginx-announce] nginx-1.25.4 Message-ID: <2E617EAC-A6FD-4E78-B010-3139A768F95F@nginx.com> Changes with nginx 1.25.4 14 Feb 2024 *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990). *) Bugfix: connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes. *) Bugfix: socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes. *) Bugfix: a socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest. *) Bugfix: a segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive. *) Bugfixes and improvements in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Feb 14 17:00:05 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Feb 2024 21:00:05 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990) Message-ID: <21ED6988-AEC3-4597-AE21-F1453DD8A506@nginx.com> Two security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or might have potential other impact (CVE-2024-24990). The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issue affects nginx 1.25.0 - 1.25.3. The issue is fixed in nginx 1.25.4. -- Sergey Kandaurov From arut at nginx.com Tue Apr 16 16:41:03 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 16 Apr 2024 20:41:03 +0400 Subject: [nginx-announce] nginx-1.25.5 Message-ID: <6C5DA3C3-4A74-46BF-97C1-F6C648E6EEB3@nginx.com> Changes with nginx 1.25.5 16 Apr 2024 *) Feature: virtual servers in the stream module. *) Feature: the ngx_stream_pass_module. *) Feature: the "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module. *) Feature: cache line size detection for some architectures. Thanks to Piotr Sikora. *) Feature: support for Homebrew on Apple Silicon. Thanks to Piotr Sikora. *) Bugfix: Windows cross-compilation bugfixes and improvements. Thanks to Piotr Sikora. *) Bugfix: unexpected connection closure while using 0-RTT in QUIC. Thanks to Vladimir Khomutov. ---- Roman Arutyunyan arut at nginx.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From xeioex at nginx.com Tue Apr 16 21:22:22 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 16 Apr 2024 14:22:22 -0700 Subject: [nginx-announce] njs-0.8.4 Message-ID: <13ef4551-a4df-4336-98f5-9dcefca1bf7e@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced the initial QuickJS engine support in CLI as well as regular bugfixes. Notable new features: - QuickJS in njs CLI: : $ ./configure --cc-opt="-I/path/to/quickjs -L/path/to/quickjs" && make njs : $ ./build/njs -n QuickJS : : >> new Map() : [object Map] Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues - Mailing list:       https://mailman.nginx.org/mailman/listinfo/nginx-devel Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.4                                       16 Apr 2024     nginx modules:     *) Feature: allowing to set Server header for outgoing headers.     *) Improvement: validating URI and args arguments in r.subrequest().     *) Improvement: checking for duplicate js_set variables.     *) Bugfix: fixed clear() method of a shared dictionary without        timeout introduced in 0.8.3.     *) Bugfix: fixed r.send() with Buffer argument.     Core:     *) Feature: added QuickJS engine support in CLI.     *) Bugfix: fixed atob() with non-padded base64 strings. From arut at nginx.com Tue Apr 23 17:50:47 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 23 Apr 2024 21:50:47 +0400 Subject: [nginx-announce] nginx-1.26.0 Message-ID: <4DB3A4BA-AD05-4969-AE34-F70029A9CB7C@nginx.com> Changes with nginx 1.26.0 23 Apr 2024 *) 1.26.x stable branch. ---- Roman Arutyunyan arut at nginx.com From pluknet at nginx.com Wed May 29 15:11:51 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 29 May 2024 19:11:51 +0400 Subject: [nginx-announce] nginx-1.27.0 Message-ID: <29E97358-FD9F-4161-95A8-4689DBB5261E@nginx.com> Changes with nginx 1.27.0 29 May 2024 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Feature: variables support in the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic option was used. Thanks to Edgar Bonet. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed May 29 15:12:03 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 29 May 2024 19:12:03 +0400 Subject: [nginx-announce] nginx-1.26.1 Message-ID: Changes with nginx 1.26.1 29 May 2024 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic option was used. Thanks to Edgar Bonet. *) Bugfix: in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed May 29 15:12:07 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 29 May 2024 19:12:07 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200) Message-ID: <70B982A6-40C4-419B-8988-8702EA3407CE@nginx.com> Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200), worker process memory disclosure on systems with MTU larger than 4096 bytes (CVE-2024-34161), or might have potential other impact (CVE-2024-31079, CVE-2024-32760). The issues affect nginx compiled with the experimental ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.25.0-1.25.5, 1.26.0. The issues are fixed in nginx 1.27.0, 1.26.1. Thanks to Nils Bars of CISPA. -- Sergey Kandaurov From xeioex at nginx.com Tue Jun 25 21:59:43 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 25 Jun 2024 14:59:43 -0700 Subject: [nginx-announce] njs-0.8.5 Message-ID: <643a9aa8-2e02-47d7-8b0e-6cfafbe3fea4@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.5                                       25 Jun 2024     nginx modules:     *) Change: r.variables.var, r.requestText, r.responseText,        s.variables.var, and the "data" argument of the s.on() callback        with "upload" or "download" event types will now convert bytes        invalid in UTF-8 encoding into the replacement character. When        working with binary data, use r.rawVariables.var, r.requestBuffer,        r.responseBuffer, s.rawVariables.var, and the "upstream" or        "downstream" event type for s.on() instead.     *) Feature: added timeout argument for shared dictionary methods        add(), set() and incr().     *) Bugfix: fixed checking for duplicate js_set variables.     *) Bugfix: fixed request Host header when the port is non-standard.     *) Bugfix: fixed handling of a zero-length request body in ngx.fetch()        and r.subrequest().     *) Bugfix: fixed heap-buffer-overflow in Headers.get().     *) Bugfix: fixed r.subrequest() error handling.     Core:     *) Feature: added zlib module for QuickJS engine.     *) Bugfix: fixed zlib.inflate().     *) Bugfix: fixed String.prototype.replaceAll() with zero-length        argument.     *) Bugfix: fixed retval handling after an exception in        Array.prototype.toSpliced(), Array.prototype.toReversed(),        Array.prototype.toSorted().     *) Bugfix: fixed RegExp.prototype[@@replace]() with replacements        containing "$'", "$\`" and strings with Unicode characters.     *) Bugfix: fixed a one-byte overread in decodeURI() and        decodeURIComponent().     *) Bugfix: fixed tracking of argument scope.     *) Bugfix: fixed integer overflow in Date.parse(). From pluknet at nginx.com Wed Aug 14 14:25:09 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Aug 2024 18:25:09 +0400 Subject: [nginx-announce] nginx-1.27.1 Message-ID: Changes with nginx 1.27.1 14 Aug 2024 *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash (CVE-2024-7347). Thanks to Nils Bars. *) Change: now the stream module handler is not mandatory. *) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old worker processes. Thanks to Kasei Wang. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Aug 14 14:25:19 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Aug 2024 18:25:19 +0400 Subject: [nginx-announce] nginx-1.26.2 Message-ID: Changes with nginx 1.26.2 14 Aug 2024 *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash (CVE-2024-7347). Thanks to Nils Bars. -- Sergey Kandaurov From f5sirt at F5.com Wed Aug 14 15:07:13 2024 From: f5sirt at F5.com (F5SIRT) Date: Wed, 14 Aug 2024 15:07:13 +0000 Subject: [nginx-announce] nginx security advisory (CVE-2024-7347) In-Reply-To: References: Message-ID: A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash by using a specially crafted mp4 file (CVE-2024-7347). The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the “mp4” directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.   The issue affects nginx 1.5.13+. The issue is fixed in 1.27.1, 1.26.2.   Patch for the issue can be found here: https://nginx.org/download/patch.2024.mp4.txt   Thanks to Nils Bars for the initial report.     From arut at nginx.com Fri Sep 6 15:11:21 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Fri, 6 Sep 2024 19:11:21 +0400 Subject: [nginx-announce] NGINX has moved to Github! Message-ID: Hello from NGINX! Today we're thrilled to announce that the official NGINX Open Source development repository has moved from Mercurial to GitHub [1][2][3], where we will now start accepting contributions in the form of Pull Requests. Additionally, starting today, we will begin accepting bugs reports, feature requests and enhancements directly through GitHub, under the "Issues" tab. Moreover, we've moved our community forums to the GitHub "Discussions" area, where you will now be able to engage in conversation, ask, and answer questions. Important: to report a security vulnerability, please follow our security policy [4]. We understand that changes like these may require adjustment, so to give you more time, we will continue accepting patches and provide community support via mailing lists until December 31st, 2024. We believe these changes will serve to centralize, modernize and expand access to NGINX development and communities. They represent our continued commitment to open source, as outlined in the blog post [5]. Most of all, we can't wait to see all of your contributions, discussions and feedback, as we move into this next chapter for NGINX. [1] https://github.com/nginx/nginx [2] https://github.com/nginx/nginx-tests [3] https://github.com/nginx/nginx.org [4] https://github.com/nginx/nginx/blob/master/SECURITY.md [5] https://www.f5.com/company/blog/nginx/meetup-recap-nginxs-commitments-to-the-open-source-community On behalf of the NGINX Team, Roman Arutyunyan arut at nginx.com From pluknet at nginx.com Wed Oct 2 16:17:55 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 2 Oct 2024 20:17:55 +0400 Subject: [nginx-announce] nginx-1.27.2 Message-ID: Changes with nginx 1.27.2 02 Oct 2024 *) Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration. *) Feature: client certificate validation with OCSP in the stream module. *) Feature: OCSP stapling support in the stream module. *) Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module. *) Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information. *) Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification. -- Sergey Kandaurov From xeioex at nginx.com Wed Oct 2 21:58:26 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 2 Oct 2024 14:58:26 -0700 Subject: [nginx-announce] njs-0.8.6 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced the QuickJS engine support in nginx modules. Read more here: https://nginx.org/en/docs/njs/engine.html Notable new features: - QuickJS in nginx: : nginx.conf: : location /engine { :     js_engine qjs; :     js_content main.entry; : } : : main.js: : function entry(r) { :     let  m = new Map(); :     m.set(1, "QJS"); :     r.return(200, "Hello from " + m.get(1)); : } Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.6                                            02 Oct 2024     nginx modules:     *) Feature: introduced QuickJS engine.     *) Feature: added optional nocache flag for js_set directive.        Thanks to Thomas P.     *) Feature: exposed capture group variables in HTTP module.        Thanks to Thomas P.     Core:     *) Feature: added Buffer module for QuickJS engine.     *) Bugfix: fixed handling of empty labelled statement in a function.     *) Bugfix: fixed Function constructor handling when called without        arguments.     *) Bugfix: fixed Buffer.prototype.writeInt8() and friends.     *) Bugfix: fixed Buffer.prototype.writeFloat() and friends.     *) Bugfix: fixed Buffer.prototype.lastIndexOf().     *) Bugfix: fixed Buffer.prototype.write().     *) Bugfix: fixed maybe-uninitialized warnings in error creation.     *) Bugfix: fixed 'ctx.codepoint' initialization in UTF-8 decoding.     *) Bugfix: fixed 'length' initialization in Array.prototype.pop().     *) Bugfix: fixed handling of encode arg in fs.readdir() and        fs.realpath().