From xeioex at nginx.com Wed Feb 7 23:18:08 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 7 Feb 2024 15:18:08 -0800 Subject: [nginx-announce] njs-0.8.3 Message-ID: <63f4277a-fe47-490c-9095-78c05bbde9a4@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on stabilization of recently released features and fixing bugs found by various fuzzers. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues - Mailing list:       https://mailman.nginx.org/mailman/listinfo/nginx-devel Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.3                                       07 Feb 2024     nginx modules:     *) Bugfix: fixed Headers.set().     *) Bugfix: fixed js_set with Buffer values.     *) Bugfix: fixed clear() method of a shared dictionary when        timeout is not specified.     *) Bugfix: fixed stub_status statistic when js_periodic is        enabled.     Core:     *) Bugfix: fixed building with libxml2 2.12 and later.     *) Bugfix: fixed Date constructor for overflows and with        NaN values.     *) Bugfix: fixed underflow in querystring.parse().     *) Bugfix: fixed potential buffer overread in        String.prototype.match().     *) Bugfix: fixed parsing of for-in loops.     *) Bugfix: fixed parsing of hexadecimal, octal, and binary        literals with no digits. From pluknet at nginx.com Wed Feb 14 16:59:24 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Feb 2024 20:59:24 +0400 Subject: [nginx-announce] nginx-1.25.4 Message-ID: <2E617EAC-A6FD-4E78-B010-3139A768F95F@nginx.com> Changes with nginx 1.25.4 14 Feb 2024 *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990). *) Bugfix: connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes. *) Bugfix: socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes. *) Bugfix: a socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest. *) Bugfix: a segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive. *) Bugfixes and improvements in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Feb 14 17:00:05 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Feb 2024 21:00:05 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990) Message-ID: <21ED6988-AEC3-4597-AE21-F1453DD8A506@nginx.com> Two security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or might have potential other impact (CVE-2024-24990). The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issue affects nginx 1.25.0 - 1.25.3. The issue is fixed in nginx 1.25.4. -- Sergey Kandaurov From arut at nginx.com Tue Apr 16 16:41:03 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 16 Apr 2024 20:41:03 +0400 Subject: [nginx-announce] nginx-1.25.5 Message-ID: <6C5DA3C3-4A74-46BF-97C1-F6C648E6EEB3@nginx.com> Changes with nginx 1.25.5 16 Apr 2024 *) Feature: virtual servers in the stream module. *) Feature: the ngx_stream_pass_module. *) Feature: the "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module. *) Feature: cache line size detection for some architectures. Thanks to Piotr Sikora. *) Feature: support for Homebrew on Apple Silicon. Thanks to Piotr Sikora. *) Bugfix: Windows cross-compilation bugfixes and improvements. Thanks to Piotr Sikora. *) Bugfix: unexpected connection closure while using 0-RTT in QUIC. Thanks to Vladimir Khomutov. ---- Roman Arutyunyan arut at nginx.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From xeioex at nginx.com Tue Apr 16 21:22:22 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 16 Apr 2024 14:22:22 -0700 Subject: [nginx-announce] njs-0.8.4 Message-ID: <13ef4551-a4df-4336-98f5-9dcefca1bf7e@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced the initial QuickJS engine support in CLI as well as regular bugfixes. Notable new features: - QuickJS in njs CLI: : $ ./configure --cc-opt="-I/path/to/quickjs -L/path/to/quickjs" && make njs : $ ./build/njs -n QuickJS : : >> new Map() : [object Map] Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues - Mailing list:       https://mailman.nginx.org/mailman/listinfo/nginx-devel Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.4                                       16 Apr 2024     nginx modules:     *) Feature: allowing to set Server header for outgoing headers.     *) Improvement: validating URI and args arguments in r.subrequest().     *) Improvement: checking for duplicate js_set variables.     *) Bugfix: fixed clear() method of a shared dictionary without        timeout introduced in 0.8.3.     *) Bugfix: fixed r.send() with Buffer argument.     Core:     *) Feature: added QuickJS engine support in CLI.     *) Bugfix: fixed atob() with non-padded base64 strings. From arut at nginx.com Tue Apr 23 17:50:47 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 23 Apr 2024 21:50:47 +0400 Subject: [nginx-announce] nginx-1.26.0 Message-ID: <4DB3A4BA-AD05-4969-AE34-F70029A9CB7C@nginx.com> Changes with nginx 1.26.0 23 Apr 2024 *) 1.26.x stable branch. ---- Roman Arutyunyan arut at nginx.com From pluknet at nginx.com Wed May 29 15:11:51 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 29 May 2024 19:11:51 +0400 Subject: [nginx-announce] nginx-1.27.0 Message-ID: <29E97358-FD9F-4161-95A8-4689DBB5261E@nginx.com> Changes with nginx 1.27.0 29 May 2024 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Feature: variables support in the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic option was used. Thanks to Edgar Bonet. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed May 29 15:12:03 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 29 May 2024 19:12:03 +0400 Subject: [nginx-announce] nginx-1.26.1 Message-ID: Changes with nginx 1.26.1 29 May 2024 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic option was used. Thanks to Edgar Bonet. *) Bugfix: in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed May 29 15:12:07 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 29 May 2024 19:12:07 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200) Message-ID: <70B982A6-40C4-419B-8988-8702EA3407CE@nginx.com> Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200), worker process memory disclosure on systems with MTU larger than 4096 bytes (CVE-2024-34161), or might have potential other impact (CVE-2024-31079, CVE-2024-32760). The issues affect nginx compiled with the experimental ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.25.0-1.25.5, 1.26.0. The issues are fixed in nginx 1.27.0, 1.26.1. Thanks to Nils Bars of CISPA. -- Sergey Kandaurov From xeioex at nginx.com Tue Jun 25 21:59:43 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 25 Jun 2024 14:59:43 -0700 Subject: [nginx-announce] njs-0.8.5 Message-ID: <643a9aa8-2e02-47d7-8b0e-6cfafbe3fea4@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.5                                       25 Jun 2024     nginx modules:     *) Change: r.variables.var, r.requestText, r.responseText,        s.variables.var, and the "data" argument of the s.on() callback        with "upload" or "download" event types will now convert bytes        invalid in UTF-8 encoding into the replacement character. When        working with binary data, use r.rawVariables.var, r.requestBuffer,        r.responseBuffer, s.rawVariables.var, and the "upstream" or        "downstream" event type for s.on() instead.     *) Feature: added timeout argument for shared dictionary methods        add(), set() and incr().     *) Bugfix: fixed checking for duplicate js_set variables.     *) Bugfix: fixed request Host header when the port is non-standard.     *) Bugfix: fixed handling of a zero-length request body in ngx.fetch()        and r.subrequest().     *) Bugfix: fixed heap-buffer-overflow in Headers.get().     *) Bugfix: fixed r.subrequest() error handling.     Core:     *) Feature: added zlib module for QuickJS engine.     *) Bugfix: fixed zlib.inflate().     *) Bugfix: fixed String.prototype.replaceAll() with zero-length        argument.     *) Bugfix: fixed retval handling after an exception in        Array.prototype.toSpliced(), Array.prototype.toReversed(),        Array.prototype.toSorted().     *) Bugfix: fixed RegExp.prototype[@@replace]() with replacements        containing "$'", "$\`" and strings with Unicode characters.     *) Bugfix: fixed a one-byte overread in decodeURI() and        decodeURIComponent().     *) Bugfix: fixed tracking of argument scope.     *) Bugfix: fixed integer overflow in Date.parse().