[ANN] OpenResty 1.15.8.2 released

Yichun Zhang yichun at openresty.com
Mon Sep 9 18:06:08 UTC 2019


Hi folks!

OpenResty 1.15.8.2 is a patch release addressing security
vulnerabilities in the HTTP/2 protocol which may cause excessive
memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).

All previous NGINX cores supporting HTTP/2 are affected by this
issue (1.9.5 to 1.16.1). If you are serving HTTP/2 traffic with
*any* previous OpenResty release, upgrade to 1.15.8.2 or disable
HTTP/2.

Starting from this verison, we provide more official binary Yum/Apt
repositories for Red Hat Enterprise Linux (RHEL) 8 x86_64, OpenSUSE
Leap 15.1 x86_64, Debian 10 amd64, Fedora 30 x86_64, Amazon Linux 2
x86_64, and CentOS 7 aarch64 (arm64):

https://openresty.org/en/linux-packages.html

We will keep adding more official binary package repositories for
more Linux distributions in the future. However, we have
discontinued the maintainence of the official Apt repositories for
i386 Ubuntu systems due to the lack of interest from the community.

We also upgrade the PCRE and OpenSSL in our official Win32 and Win64
binary packages to their latest versions, 8.43 and 1.1.0k,
respectively.

Download this version here:

https://openresty.org/en/download.html

The (portable) source code distribution, the Win32/Win64 binary
distributions, and the pre-built binary Linux packages for Ubuntu,
Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on
this Download page.

This is the second OpenResty release based on the nginx 1.15.8 core.

Acknowledgments
 We wish to thank the Netflix and Google security teams for their
 efforts in discovering these vulnerabilities, as well as the NGINX
 team for promptly patching them.

 Thanks Thibault Charbonnier for helping this release.

Version highlights
 *   bugfix: applied the nginx core patch for new HTTP/2 security
     advisories (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).

Full Changelog
 Complete change logs since the last (formal) release, 1.15.8.1, can
 be browsed in the page Change Log for 1.15.8.x:

  https://openresty.org/en/changelog-1015008.html

Testing
 We have run extensive testing on our Amazon EC2 test cluster and
 ensured that all the components (including the Nginx core) play well
 together. The latest test report can always be found here:

 https://qa.openresty.org/

 We also always run our OpenResty Edge commercial software based on
 the latest open source version of OpenResty in our own global CDN
 network (dubbed "mini CDN") powering our openresty.org and
 openresty.com websites. See https://openresty.com/ for more details.

Feedback
 Feedback on this release is more than welcome. Feel free to create
 new [GitHub issues](https://github.com/openresty/openresty/issues)
 or send emails to one of our mailing lists.

The Next Release
 The next release will be based on a very recent nginx 1.17.x core and is
 already near the corner. We have been working hard on this next
 release for several months now. Stay tuned!

Thanks!

Best regards,
Yichun


More information about the nginx mailing list