Changes with nginx 1.4.5 11 Feb 2014 *) Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id. Thanks to Ivan Ristić. *) Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15. *) Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used. *) Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used. *) Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding. *) Bugfix: memory leak in nginx/Windows.
Changes with nginx 1.4.6 04 Mar 2014 *) Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9. Thanks to Lucas Molas. *) Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections.
See bug 503528. I will run through the ebuilds today and see if we have any modules needing updates.
The patch we carry for http_upstream_check added for 1.5.10 now breaks (testing 1.5.11). I'm not sure how long we should carry an out-of-date patch since upstream hasn't been active for ~6 months.
> Summary: www-servers/nginx-1.4.6 version bump → www-servers/nginx-1.{4.6,5.11} version bump This syntax make harder a search and does not avoid the duplicate.
@Agostino: Good points. I basically did it because "it's been done before", which in itself is a pretty bad argument. I'll have this in mind moving forward.
Created attachment 371912 [details, diff] upstream-check-1.5.11.patch Re-baked upstream_check patch. Work by Tiziano Müller.
Created attachment 371914 [details] nginx-1.5.11.ebuild Verbump to 1.5.11. For changes and discussion, see https://gist.github.com/jbergstroem/9384885 (not really relevant which is why I left it out of bugzilla)
Created attachment 371922 [details] nginx-1.4.6.ebuild See comments here: https://gist.github.com/jbergstroem/9401337 Please test this and 1.5.11.
Created attachment 372234 [details] nginx-1.5.11.ebuild Updated ebuild. Adds the sticky upstream module (suggestion on better use flag name?) -- https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/. There's currently a floating patch that allows the upstream_check module use the sticky module which sounds like a good combination to me. Upstream is looking into it: https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/issue/3/patch-to-allow I've also added the ajp module, but it fails to build against 1.5.11. Upstream bug here: https://github.com/yaoweibin/nginx_ajp_module/issues/22
Created attachment 372538 [details] nginx-1.5.11.ebuild Updated ebuild for nginx 1.5.11. This fixes build issues with the ajp module (newer version upstream). Please test/commit to tree.
SPDY heap buffer overflow Severity: major CVE-2014-0133 Not vulnerable: 1.5.12+, 1.4.7+ Vulnerable: 1.3.15-1.5.11 http://nginx.org/en/security_advisories.html?1.5.12
@Manuel: Thanks for being quick re the bump. We have a slightly different procedure when it comes to security bugs. I just created this: bug 505018.
Probably not the right place to discuss, but I feel that it is outside of the security scope of nginx -- Tiziano, should we rather do 1.4.4-r1 with the patch since 1.4.7 will contain a fair amount of changes? That way we can stable -r1 at once and introduce 1.4.7/1.5.12 with above ebuilds.
Created attachment 373164 [details] nginx-1.5.11.ebuild Replaced the nginx 1.5.11 ebuild; updated 3rd party modules.
Created attachment 373166 [details] nginx-1.5.12.ebuild While at it, rename to 1.5.12. No other changes.
Oh yeah, for 1.5.12 you need to rename the upstream patch.
nginx-1.4.7 is now in the tree, 1.5.12 follows...
(In reply to Tiziano Müller from comment #17) > nginx-1.4.7 is now in the tree, 1.5.12 follows... ping for 1.5.12 :)
Changes with nginx 1.5.13 08 Apr 2014 *) Change: improved hash table handling; the default values of the "variables_hash_max_size" and "types_hash_bucket_size" were changed to 1024 and 64 respectively. *) Feature: the ngx_http_mp4_module now supports the "end" argument. *) Feature: byte ranges support in the ngx_http_mp4_module and while saving responses to cache. *) Bugfix: alerts "ngx_slab_alloc() failed: no memory" no longer logged when using shared memory in the "ssl_session_cache" directive and in the ngx_http_limit_req_module. *) Bugfix: the "underscores_in_headers" directive did not allow underscore as a first character of a header. Thanks to Piotr Sikora. *) Bugfix: cache manager might hog CPU on exit in nginx/Windows. *) Bugfix: nginx/Windows terminated abnormally if the "ssl_session_cache" directive was used with the "shared" parameter. *) Bugfix: in the ngx_http_spdy_module.
Created attachment 374646 [details] nginx-1.5.13.ebuild Attaching updated ebuild for nginx-1.5.13. Few module updates and fixes for bug 506804, bug 506690. As with previous, rename upstream-check patch since we use ${PN}. We should backport the bug fixes for 1.4.x as well (libcap dep and move modsecurity configure). Perhaps with next version bump?
Done. thanks for all your work, Johan!