nginx announcements [read only]http://forum.nginx.org/list.php?27Tue, 21 May 2013 13:16:19 -0400 Phorum 5.2.16 http://forum.nginx.org/read.php?27,239130,239130#msg-239130 http://forum.nginx.org/read.php?27,239130,239130#msg-239130
A security problem related to CVE-2013-2028 was identified,
affecting some previous nginx versions if proxy_pass to
untrusted upstream HTTP servers is used.

The problem may lead to a denial of service or a disclosure of a
worker process memory on a specially crafted response from an
upstream proxied server.

The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.

The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9
was released to address the issue in the 1.2.x legacy branch.

Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028:

http://nginx.org/download/patch.2013.chunked.txt

Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8)
can be found here:

http://nginx.org/download/patch.2013.proxy.txt


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishMon, 13 May 2013 07:36:01 -0400 http://forum.nginx.org/read.php?27,239125,239125#msg-239125 http://forum.nginx.org/read.php?27,239125,239125#msg-239125
*) Security: contents of worker process memory might be sent to a client
if HTTP backend returned specially crafted response (CVE-2013-2070);
the bug had appeared in 1.1.4.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishMon, 13 May 2013 07:34:00 -0400 http://forum.nginx.org/read.php?27,238944,238944#msg-238944 http://forum.nginx.org/read.php?27,238944,238944#msg-238944
Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
execution (CVE-2013-2028).

The problem affects nginx 1.3.9 - 1.4.0.

The problem is fixed in nginx 1.5.0, 1.4.1.

Patch for the problem can be found here:

http://nginx.org/download/patch.2013.chunked.txt

As a temporary workaround the following configuration
can be used in each server{} block:

if ($http_transfer_encoding ~* chunked) {
return 444;
}


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 07 May 2013 07:32:00 -0400 http://forum.nginx.org/read.php?27,238943,238943#msg-238943 http://forum.nginx.org/read.php?27,238943,238943#msg-238943
*) Security: a stack-based buffer overflow might occur in a worker
process while handling a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2013-2028); the bug had
appeared in 1.3.9.
Thanks to Greg MacManus, iSIGHT Partners Labs.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 07 May 2013 07:32:00 -0400 http://forum.nginx.org/read.php?27,238940,238940#msg-238940 http://forum.nginx.org/read.php?27,238940,238940#msg-238940
*) Security: a stack-based buffer overflow might occur in a worker
process while handling a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2013-2028); the bug had
appeared in 1.3.9.
Thanks to Greg MacManus, iSIGHT Partners Labs.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 07 May 2013 07:30:01 -0400 http://forum.nginx.org/read.php?27,238605,238605#msg-238605 http://forum.nginx.org/read.php?27,238605,238605#msg-238605
*) Bugfix: nginx could not be built with the ngx_http_perl_module if the
--with-openssl option was used; the bug had appeared in 1.3.16.

*) Bugfix: in a request body handling in the ngx_http_perl_module; the
bug had appeared in 1.3.9.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishWed, 24 Apr 2013 10:20:00 -0400 http://forum.nginx.org/read.php?27,238409,238409#msg-238409 http://forum.nginx.org/read.php?27,238409,238409#msg-238409
*) Bugfix: a segmentation fault might occur in a worker process if
subrequests were used; the bug had appeared in 1.3.9.

*) Bugfix: the "tcp_nodelay" directive caused an error if a WebSocket
connection was proxied into a unix domain socket.

*) Bugfix: the $upstream_response_length variable has an incorrect value
"0" if buffering was not used.
Thanks to Piotr Sikora.

*) Bugfix: in the eventport and /dev/poll methods.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 16 Apr 2013 10:22:01 -0400 http://forum.nginx.org/read.php?27,238024,238024#msg-238024 http://forum.nginx.org/read.php?27,238024,238024#msg-238024
*) Bugfix: new sessions were not always stored if the "ssl_session_cache
shared" directive was used and there was no free space in shared
memory.
Thanks to Piotr Sikora.

*) Bugfix: responses might hang if subrequests were used and a DNS error
happened during subrequest processing.
Thanks to Lanshun Zhou.

*) Bugfix: in the ngx_http_mp4_module.
Thanks to Gernot Vormayr.

*) Bugfix: in backend usage accounting.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 02 Apr 2013 08:56:01 -0400 http://forum.nginx.org/read.php?27,237804,237804#msg-237804 http://forum.nginx.org/read.php?27,237804,237804#msg-237804
*) Change: opening and closing a connection without sending any data in
it is no longer logged to access_log with error code 400.

*) Feature: the ngx_http_spdy_module.
Thanks to Automattic for sponsoring this work.

*) Feature: the "limit_req_status" and "limit_conn_status" directives.
Thanks to Nick Marden.

*) Feature: the "image_filter_interlace" directive.
Thanks to Ian Babrou.

*) Feature: $connections_waiting variable in the
ngx_http_stub_status_module.

*) Feature: the mail proxy module now supports IPv6 backends.

*) Bugfix: request body might be transmitted incorrectly when retrying a
request to the next upstream server; the bug had appeared in 1.3.9.
Thanks to Piotr Sikora.

*) Bugfix: in the "client_body_in_file_only" directive; the bug had
appeared in 1.3.9.

*) Bugfix: responses might hang if subrequests were used and a DNS error
happened during subrequest processing.
Thanks to Lanshun Zhou.

*) Bugfix: in backend usage accounting.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 26 Mar 2013 09:32:00 -0400 http://forum.nginx.org/read.php?27,236956,236956#msg-236956 http://forum.nginx.org/read.php?27,236956,236956#msg-236956
*) Feature: $connections_active, $connections_reading, and
$connections_writing variables in the ngx_http_stub_status_module.

*) Feature: support of WebSocket connections in the
ngx_http_uwsgi_module and ngx_http_scgi_module.

*) Bugfix: in virtual servers handling with SNI.

*) Bugfix: new sessions were not always stored if the "ssl_session_cache
shared" directive was used and there was no free space in shared
memory.
Thanks to Piotr Sikora.

*) Bugfix: multiple X-Forwarded-For headers were handled incorrectly.
Thanks to Neal Poole for sponsoring this work.

*) Bugfix: in the ngx_http_mp4_module.
Thanks to Gernot Vormayr.


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 05 Mar 2013 09:58:00 -0500 http://forum.nginx.org/read.php?27,236338,236338#msg-236338 http://forum.nginx.org/read.php?27,236338,236338#msg-236338
*) Change: a compiler with name "cc" is now used by default.

*) Feature: support for proxying of WebSocket connections.
Thanks to Apcera and CloudBees for sponsoring this work.

*) Feature: the "auth_basic_user_file" directive supports "{SHA}"
password encryption method.
Thanks to Louis Opter.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 19 Feb 2013 10:30:00 -0500 http://forum.nginx.org/read.php?27,236142,236142#msg-236142 http://forum.nginx.org/read.php?27,236142,236142#msg-236142
*) Change: now if the "include" directive with mask is used on Unix
systems, included files are sorted in alphabetical order.

*) Change: the "add_header" directive adds headers to 201 responses.

*) Feature: the "geo" directive now supports IPv6 addresses in CIDR
notation.

*) Feature: the "flush" and "gzip" parameters of the "access_log"
directive.

*) Feature: variables support in the "auth_basic" directive.

*) Feature: the $pipe, $request_length, $time_iso8601, and $time_local
variables can now be used not only in the "log_format" directive.
Thanks to Kiril Kalchev.

*) Feature: IPv6 support in the ngx_http_geoip_module.
Thanks to Gregor Kališnik.

*) Bugfix: nginx could not be built with the ngx_http_perl_module in
some cases.

*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_xslt_module was used.

*) Bugfix: nginx could not be built on MacOSX in some cases.
Thanks to Piotr Sikora.

*) Bugfix: the "limit_rate" directive with high rates might result in
truncated responses on 32-bit platforms.
Thanks to Alexey Antropov.

*) Bugfix: a segmentation fault might occur in a worker process if the
"if" directive was used.
Thanks to Piotr Sikora.

*) Bugfix: a "100 Continue" response was issued with "413 Request Entity
Too Large" responses.

*) Bugfix: the "image_filter", "image_filter_jpeg_quality" and
"image_filter_sharpen" directives might be inherited incorrectly.
Thanks to Ian Babrou.

*) Bugfix: "crypt_r() failed" errors might appear if the "auth_basic"
directive was used on Linux.

*) Bugfix: in backup servers handling.
Thanks to Thomas Chen.

*) Bugfix: proxied HEAD requests might return incorrect response if the
"gzip" directive was used.

*) Bugfix: a segmentation fault occurred on start or during
reconfiguration if the "keepalive" directive was specified more than
once in a single upstream block.

*) Bugfix: in the "proxy_method" directive.

*) Bugfix: a segmentation fault might occur in a worker process if
resolver was used with the poll method.

*) Bugfix: nginx might hog CPU during SSL handshake with a backend if
the select, poll, or /dev/poll methods were used.

*) Bugfix: the "[crit] SSL_write() failed (SSL:)" error.

*) Bugfix: in the "fastcgi_keep_conn" directive.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 12 Feb 2013 08:58:00 -0500 http://forum.nginx.org/read.php?27,235932,235932#msg-235932 http://forum.nginx.org/read.php?27,235932,235932#msg-235932
*) Feature: variables support in the "proxy_bind", "fastcgi_bind",
"memcached_bind", "scgi_bind", and "uwsgi_bind" directives.

*) Feature: the $pipe, $request_length, $time_iso8601, and $time_local
variables can now be used not only in the "log_format" directive.
Thanks to Kiril Kalchev.

*) Feature: IPv6 support in the ngx_http_geoip_module.
Thanks to Gregor Kališnik.

*) Bugfix: in the "proxy_method" directive.

*) Bugfix: a segmentation fault might occur in a worker process if
resolver was used with the poll method.

*) Bugfix: nginx might hog CPU during SSL handshake with a backend if
the select, poll, or /dev/poll methods were used.

*) Bugfix: the "[crit] SSL_write() failed (SSL:)" error.

*) Bugfix: in the "client_body_in_file_only" directive; the bug had
appeared in 1.3.9.

*) Bugfix: in the "fastcgi_keep_conn" directive.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 05 Feb 2013 09:24:00 -0500 http://forum.nginx.org/read.php?27,234902,234902#msg-234902 http://forum.nginx.org/read.php?27,234902,234902#msg-234902
*) Bugfix: a segmentation fault might occur if logging was used; the bug
had appeared in 1.3.10.

*) Bugfix: the "proxy_pass" directive did not work with IP addresses
without port specified; the bug had appeared in 1.3.10.

*) Bugfix: a segmentation fault occurred on start or during
reconfiguration if the "keepalive" directive was specified more than
once in a single upstream block.

*) Bugfix: parameter "default" of the "geo" directive did not set
default value for IPv6 addresses.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishThu, 10 Jan 2013 08:38:00 -0500 http://forum.nginx.org/read.php?27,234422,234422#msg-234422 http://forum.nginx.org/read.php?27,234422,234422#msg-234422
*) Change: domain names specified in configuration file are now resolved
to IPv6 addresses as well as IPv4 ones.

*) Change: now if the "include" directive with mask is used on Unix
systems, included files are sorted in alphabetical order.

*) Change: the "add_header" directive adds headers to 201 responses.

*) Feature: the "geo" directive now supports IPv6 addresses in CIDR
notation.

*) Feature: the "flush" and "gzip" parameters of the "access_log"
directive.

*) Feature: variables support in the "auth_basic" directive.

*) Bugfix: nginx could not be built with the ngx_http_perl_module in
some cases.

*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_xslt_module was used.

*) Bugfix: nginx could not be built on MacOSX in some cases.
Thanks to Piotr Sikora.

*) Bugfix: the "limit_rate" directive with high rates might result in
truncated responses on 32-bit platforms.
Thanks to Alexey Antropov.

*) Bugfix: a segmentation fault might occur in a worker process if the
"if" directive was used.
Thanks to Piotr Sikora.

*) Bugfix: a "100 Continue" response was issued with "413 Request Entity
Too Large" responses.

*) Bugfix: the "image_filter", "image_filter_jpeg_quality" and
"image_filter_sharpen" directives might be inherited incorrectly.
Thanks to Ian Babrou.

*) Bugfix: "crypt_r() failed" errors might appear if the "auth_basic"
directive was used on Linux.

*) Bugfix: in backup servers handling.
Thanks to Thomas Chen.

*) Bugfix: proxied HEAD requests might return incorrect response if the
"gzip" directive was used.


Merry Christmas!


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 25 Dec 2012 09:48:01 -0500 http://forum.nginx.org/read.php?27,233874,233874#msg-233874 http://forum.nginx.org/read.php?27,233874,233874#msg-233874
*) Feature: the $request_time and $msec variables can now be used not
only in the "log_format" directive.

*) Bugfix: cache manager and cache loader processes might not be able to
start if more than 512 listen sockets were used.

*) Bugfix: in the ngx_http_dav_module.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 11 Dec 2012 10:04:00 -0500 http://forum.nginx.org/read.php?27,233270,233270#msg-233270 http://forum.nginx.org/read.php?27,233270,233270#msg-233270
*) Feature: support for chunked transfer encoding while reading client
request body.

*) Feature: the $request_time and $msec variables can now be used not
only in the "log_format" directive.

*) Bugfix: cache manager and cache loader processes might not be able to
start if more than 512 listen sockets were used.

*) Bugfix: in the ngx_http_dav_module.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 27 Nov 2012 09:28:01 -0500 http://forum.nginx.org/read.php?27,232768,232768#msg-232768 http://forum.nginx.org/read.php?27,232768,232768#msg-232768
*) Feature: the "optional_no_ca" parameter of the "ssl_verify_client"
directive.
Thanks to Mike Kazantsev and Eric O'Connor.

*) Feature: the $bytes_sent, $connection, and $connection_requests
variables can now be used not only in the "log_format" directive.
Thanks to Benjamin Grössing.

*) Feature: resolver now randomly rotates addresses returned from cache.
Thanks to Anton Jouline.

*) Feature: the "auto" parameter of the "worker_processes" directive.

*) Bugfix: "cache file ... has md5 collision" alert.

*) Bugfix: OpenSSL 0.9.7 compatibility.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 13 Nov 2012 08:58:00 -0500 http://forum.nginx.org/read.php?27,232377,232377#msg-232377 http://forum.nginx.org/read.php?27,232377,232377#msg-232377
*) Feature: the "optional_no_ca" parameter of the "ssl_verify_client"
directive.
Thanks to Mike Kazantsev and Eric O'Connor.

*) Feature: the $bytes_sent, $connection, and $connection_requests
variables can now be used not only in the "log_format" directive.
Thanks to Benjamin Grössing.

*) Feature: the "auto" parameter of the "worker_processes" directive.

*) Bugfix: "cache file ... has md5 collision" alert.

*) Bugfix: in the ngx_http_gunzip_filter_module.

*) Bugfix: in the "ssl_stapling" directive.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 30 Oct 2012 10:10:00 -0400 http://forum.nginx.org/read.php?27,231320,231320#msg-231320 http://forum.nginx.org/read.php?27,231320,231320#msg-231320
*) Feature: OCSP stapling support.
Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work.

*) Feature: the "ssl_trusted_certificate" directive.

*) Feature: resolver now randomly rotates addresses returned from cache.
Thanks to Anton Jouline.

*) Bugfix: OpenSSL 0.9.7 compatibility.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 02 Oct 2012 10:00:00 -0400 http://forum.nginx.org/read.php?27,231041,231041#msg-231041 http://forum.nginx.org/read.php?27,231041,231041#msg-231041
*) Bugfix: in the "limit_req" directive; the bug had appeared in 1.1.14.
Thanks to Charles Chen.

*) Bugfix: nginx could not be built by gcc 4.7 with -O2 optimization if
the --with-ipv6 option was used.

*) Bugfix: a segmentation fault might occur in a worker process if the
"map" directive was used with variables as values.

*) Bugfix: a segmentation fault might occur in a worker process if the
"geo" directive was used with the "ranges" parameter but without the
"default" parameter; the bug had appeared in 0.8.43.
Thanks to Zhen Chen and Weibin Yao.

*) Bugfix: in the -p command-line parameter handling.

*) Bugfix: in the mail proxy server.

*) Bugfix: of minor potential bugs.
Thanks to Coverity.

*) Bugfix: nginx/Windows could not be built with Visual Studio 2005
Express.
Thanks to HAYASHI Kentaro.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 25 Sep 2012 10:06:00 -0400 http://forum.nginx.org/read.php?27,230663,230663#msg-230663 http://forum.nginx.org/read.php?27,230663,230663#msg-230663
*) Feature: the ngx_http_gunzip_filter_module.

*) Feature: the "memcached_gzip_flag" directive.

*) Feature: the "always" parameter of the "gzip_static" directive.

*) Bugfix: in the "limit_req" directive; the bug had appeared in 1.1.14.
Thanks to Charles Chen.

*) Bugfix: nginx could not be built by gcc 4.7 with -O2 optimization if
the --with-ipv6 option was used.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishWed, 12 Sep 2012 07:08:00 -0400 http://forum.nginx.org/read.php?27,229952,229952#msg-229952 http://forum.nginx.org/read.php?27,229952,229952#msg-229952
*) Change: the ngx_http_mp4_module module no longer skips tracks in
formats other than H.264 and AAC.

*) Bugfix: a segmentation fault might occur in a worker process if the
"map" directive was used with variables as values.

*) Bugfix: a segmentation fault might occur in a worker process if the
"geo" directive was used with the "ranges" parameter but without the
"default" parameter; the bug had appeared in 0.8.43.
Thanks to Zhen Chen and Weibin Yao.

*) Bugfix: in the -p command-line parameter handling.

*) Bugfix: in the mail proxy server.

*) Bugfix: of minor potential bugs.
Thanks to Coverity.

*) Bugfix: nginx/Windows could not be built with Visual Studio 2005
Express.
Thanks to HAYASHI Kentaro.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 21 Aug 2012 09:30:00 -0400 http://forum.nginx.org/read.php?27,229386,229386#msg-229386 http://forum.nginx.org/read.php?27,229386,229386#msg-229386
*) Feature: the Clang compiler support.

*) Bugfix: extra listening sockets might be created.
Thanks to Roman Odaisky.

*) Bugfix: nginx/Windows might hog CPU if a worker process failed to
start.
Thanks to Ricardo Villalobos Guevara.

*) Bugfix: the "proxy_pass_header", "fastcgi_pass_header",
"scgi_pass_header", "uwsgi_pass_header", "proxy_hide_header",
"fastcgi_hide_header", "scgi_hide_header", and "uwsgi_hide_header"
directives might be inherited incorrectly.

*) Bugfix: trailing dot in a source value was not ignored if the "map"
directive was used with the "hostnames" parameter.

*) Bugfix: incorrect location might be used to process a request if a
URI was changed via a "rewrite" directive before an internal redirect
to a named location.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 07 Aug 2012 08:54:00 -0400 http://forum.nginx.org/read.php?27,229138,229138#msg-229138 http://forum.nginx.org/read.php?27,229138,229138#msg-229138
*) Change: the "ipv6only" parameter is now turned on by default for
listening IPv6 sockets.

*) Feature: the Clang compiler support.

*) Bugfix: extra listening sockets might be created.
Thanks to Roman Odaisky.

*) Bugfix: nginx/Windows might hog CPU if a worker process failed to
start.
Thanks to Ricardo Villalobos Guevara.

*) Bugfix: the "proxy_pass_header", "fastcgi_pass_header",
"scgi_pass_header", "uwsgi_pass_header", "proxy_hide_header",
"fastcgi_hide_header", "scgi_hide_header", and "uwsgi_hide_header"
directives might be inherited incorrectly.

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Ruslan Ermilov Nginx Announcements - EnglishTue, 31 Jul 2012 09:10:00 -0400 http://forum.nginx.org/read.php?27,228474,228474#msg-228474 http://forum.nginx.org/read.php?27,228474,228474#msg-228474
*) Feature: entity tags support and the "etag" directive.

*) Bugfix: trailing dot in a source value was not ignored if the "map"
directive was used with the "hostnames" parameter.

*) Bugfix: incorrect location might be used to process a request if a
URI was changed via a "rewrite" directive before an internal redirect
to a named location.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 10 Jul 2012 08:38:00 -0400 http://forum.nginx.org/read.php?27,228232,228232#msg-228232 http://forum.nginx.org/read.php?27,228232,228232#msg-228232
*) Change: the "single" parameter of the "keepalive" directive is now
ignored.

*) Change: SSL compression is now disabled when using all versions of
OpenSSL, including ones prior to 1.0.0.

*) Feature: the "proxy_pass", "fastcgi_pass", "scgi_pass", "uwsgi_pass"
directives, and the "server" directive inside the "upstream" block,
now support IPv6 addresses.

*) Feature: the "resolver" directive now supports IPv6 addresses and an
optional port specification.

*) Feature: the "least_conn" directive inside the "upstream" block.

*) Feature: it is now possible to specify a weight for servers while
using the "ip_hash" directive.

*) Feature: it is now possible to use the "ip_hash" directive to balance
IPv6 clients.

*) Feature: the $status variable can now be used not only in the
"log_format" directive.

*) Bugfix: nginx could not be built with ngx_cpp_test_module; the bug
had appeared in 1.1.12.

*) Bugfix: access to variables from SSI and embedded perl module might
not work after reconfiguration.
Thanks to Yichun Zhang.

*) Bugfix: in the ngx_http_xslt_filter_module.
Thanks to Kuramoto Eiji.

*) Bugfix: memory leak if $geoip_org variable was used.
Thanks to Denis F. Latypoff.

*) Bugfix: in the "proxy_cookie_domain" and "proxy_cookie_path"
directives.

*) Bugfix: a segmentation fault might occur in a worker process on
shutdown if the "resolver" directive was used.

*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used.

*) Bugfix: in the ngx_http_mp4_module.

*) Bugfix: a segmentation fault might occur in a worker process if
conflicting wildcard server names were used.

*) Bugfix: nginx might be terminated abnormally on a SIGBUS signal on
ARM platform.

*) Bugfix: an alert "sendmsg() failed (9: Bad file number)" on HP-UX
while reconfiguration.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 03 Jul 2012 07:20:00 -0400 http://forum.nginx.org/read.php?27,227933,227933#msg-227933 http://forum.nginx.org/read.php?27,227933,227933#msg-227933
*) Change: the "single" parameter of the "keepalive" directive is now
ignored.

*) Change: SSL compression is now disabled when using all versions of
OpenSSL, including ones prior to 1.0.0.

*) Feature: it is now possible to use the "ip_hash" directive to balance
IPv6 clients.

*) Feature: the $status variable can now be used not only in the
"log_format" directive.

*) Bugfix: a segmentation fault might occur in a worker process on
shutdown if the "resolver" directive was used.

*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used.

*) Bugfix: in the ngx_http_mp4_module.

*) Bugfix: a segmentation fault might occur in a worker process if
conflicting wildcard server names were used.

*) Bugfix: nginx might be terminated abnormally on a SIGBUS signal on
ARM platform.

*) Bugfix: an alert "sendmsg() failed (9: Bad file number)" on HP-UX
while reconfiguration.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 26 Jun 2012 10:02:01 -0400 http://forum.nginx.org/read.php?27,227216,227216#msg-227216 http://forum.nginx.org/read.php?27,227216,227216#msg-227216
Vladimir Kochetkov, Positive Research Center, discovered a
security problem in nginx/Windows, which might allow security
restrictions bypass (CVE-2011-4963).

There are many ways to access the same file when working under
Windows, and nginx failed to account for all of them. As a
result, it was possible to bypass security restrictions like

location /directory/ {
deny all;
}

by requesting a file as "/directory::$index_allocation/file", or
"/directory:$i30:$index_allocation/file", or "/directory./file".

The problem is fixed in nginx/Windows 1.3.1, 1.2.1.

For older versions the following configuration can be used as a
workaround:

location ~ "(\./|:\$)" {
deny all;
}

Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 05 Jun 2012 10:34:00 -0400 http://forum.nginx.org/read.php?27,227209,227209#msg-227209 http://forum.nginx.org/read.php?27,227209,227209#msg-227209
*) Security: now nginx/Windows ignores trailing dot in URI path
component, and does not allow URIs with ":$" in it.
Thanks to Vladimir Kochetkov, Positive Research Center.

*) Feature: the "debug_connection" directive now supports IPv6 addresses
and the "unix:" parameter.

*) Feature: the "set_real_ip_from" directive and the "proxy" parameter
of the "geo" directive now support IPv6 addresses.

*) Feature: the "real_ip_recursive", "geoip_proxy", and
"geoip_proxy_recursive" directives.

*) Feature: the "proxy_recursive" parameter of the "geo" directive.

*) Bugfix: a segmentation fault might occur in a worker process if the
"resolver" directive was used.

*) Bugfix: a segmentation fault might occur in a worker process if the
"fastcgi_pass", "scgi_pass", or "uwsgi_pass" directives were used and
backend returned incorrect response.

*) Bugfix: a segmentation fault might occur in a worker process if the
"rewrite" directive was used and new request arguments in a
replacement used variables.

*) Bugfix: nginx might hog CPU if the open file resource limit was
reached.

*) Bugfix: nginx might loop infinitely over backends if the
"proxy_next_upstream" directive with the "http_404" parameter was
used and there were backup servers specified in an upstream block.

*) Bugfix: adding the "down" parameter of the "server" directive might
cause unneeded client redistribution among backend servers if the
"ip_hash" directive was used.

*) Bugfix: socket leak.
Thanks to Yichun Zhang.

*) Bugfix: in the ngx_http_fastcgi_module.


Maxim Dounin

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce]]> Maxim Dounin Nginx Announcements - EnglishTue, 05 Jun 2012 10:32:00 -0400