[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: Re: [PATCH] nginx: Update to version 1.21.6
From: Peter_Müller <peter.mueller () ipfire ! org>
Date: 2022-04-30 8:51:38
Message-ID: c858a8ad-e5a9-7106-1d00-c4fddfe7b4d1 () ipfire ! org
[Download RAW message or body]
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
> - Update from version 1.19.2 to 1.21.6
> - Update of rootfile not required
> - Changelog
> Changes with nginx 1.21.6 25 Jan 2022
> *) Bugfix: when using EPOLLEXCLUSIVE on Linux client connections were
> unevenly distributed among worker processes.
> *) Bugfix: nginx returned the "Connection: keep-alive" header line in
> responses during graceful shutdown of old worker processes.
> *) Bugfix: in the "ssl_session_ticket_key" when using TLSv1.3.
> Changes with nginx 1.21.5
> *) Change: now nginx is built with the PCRE2 library by default.
> *) Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD.
> *) Feature: support for sendfile(SF_NOCACHE) on FreeBSD.
> *) Feature: the $ssl_curve variable.
> *) Bugfix: connections might hang when using HTTP/2 without SSL with the
> "sendfile" and "aio" directives.
> Changes with nginx 1.21.4
> *) Change: support for NPN instead of ALPN to establish HTTP/2
> connections has been removed.
> *) Change: now nginx rejects SSL connections if ALPN is used by the
> client, but no supported protocols can be negotiated.
> *) Change: the default value of the "sendfile_max_chunk" directive was
> changed to 2 megabytes.
> *) Feature: the "proxy_half_close" directive in the stream module.
> *) Feature: the "ssl_alpn" directive in the stream module.
> *) Feature: the $ssl_alpn_protocol variable.
> *) Feature: support for SSL_sendfile() when using OpenSSL 3.0.
> *) Feature: the "mp4_start_key_frame" directive in the
> ngx_http_mp4_module.
> Thanks to Tracey Jaquith.
> *) Bugfix: in the $content_length variable when using chunked transfer
> encoding.
> *) Bugfix: after receiving a response with incorrect length from a
> proxied backend nginx might nevertheless cache the connection.
> Thanks to Awdhesh Mathpal.
> *) Bugfix: invalid headers from backends were logged at the "info" level
> instead of "error"; the bug had appeared in 1.21.1.
> *) Bugfix: requests might hang when using HTTP/2 and the "aio_write"
> directive.
> Changes with nginx 1.21.3
> *) Change: optimization of client request body reading when using
> HTTP/2.
> *) Bugfix: in request body filters internal API when using HTTP/2 and
> buffering of the data being processed.
> Changes with nginx 1.21.2
> *) Change: now nginx rejects HTTP/1.0 requests with the
> "Transfer-Encoding" header line.
> *) Change: export ciphers are no longer supported.
> *) Feature: OpenSSL 3.0 compatibility.
> *) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines
> are now passed to the mail proxy authentication server.
> Thanks to Rob Mueller.
> *) Feature: request body filters API now permits buffering of the data
> being processed.
> *) Bugfix: backend SSL connections in the stream module might hang after
> an SSL handshake.
> *) Bugfix: the security level, which is available in OpenSSL 1.1.0 or
> newer, did not affect loading of the server certificates when set
> with "@SECLEVEL=N" in the "ssl_ciphers" directive.
> *) Bugfix: SSL connections with gRPC backends might hang if select,
> poll, or /dev/poll methods were used.
> *) Bugfix: when using HTTP/2 client request body was always written to
> disk if the "Content-Length" header line was not present in the
> request.
> Changes with nginx 1.21.1
> *) Change: now nginx always returns an error for the CONNECT method.
> *) Change: now nginx always returns an error if both "Content-Length"
> and "Transfer-Encoding" header lines are present in the request.
> *) Change: now nginx always returns an error if spaces or control
> characters are used in the request line.
> *) Change: now nginx always returns an error if spaces or control
> characters are used in a header name.
> *) Change: now nginx always returns an error if spaces or control
> characters are used in the "Host" request header line.
> *) Change: optimization of configuration testing when using many
> listening sockets.
> *) Bugfix: nginx did not escape """, "<", ">", "\", "^", "`", "{", "|",
> and "}" characters when proxying with changed URI.
> *) Bugfix: SSL variables might be empty when used in logs; the bug had
> appeared in 1.19.5.
> *) Bugfix: keepalive connections with gRPC backends might not be closed
> after receiving a GOAWAY frame.
> *) Bugfix: reduced memory consumption for long-lived requests when
> proxying with more than 64 buffers.
> Changes with nginx 1.21.0
> *) Security: 1-byte memory overwrite might occur during DNS server
> response processing if the "resolver" directive was used, allowing an
> attacker who is able to forge UDP packets from the DNS server to
> cause worker process crash or, potentially, arbitrary code execution
> (CVE-2021-23017).
> *) Feature: variables support in the "proxy_ssl_certificate",
> "proxy_ssl_certificate_key" "grpc_ssl_certificate",
> "grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and
> "uwsgi_ssl_certificate_key" directives.
> *) Feature: the "max_errors" directive in the mail proxy module.
> *) Feature: the mail proxy module supports POP3 and IMAP pipelining.
> *) Feature: the "fastopen" parameter of the "listen" directive in the
> stream module.
> Thanks to Anbang Wen.
> *) Bugfix: special characters were not escaped during automatic redirect
> with appended trailing slash.
> *) Bugfix: connections with clients in the mail proxy module might be
> closed unexpectedly when using SMTP pipelining.
> Changes with nginx 1.19.10
> *) Change: the default value of the "keepalive_requests" directive was
> changed to 1000.
> *) Feature: the "keepalive_time" directive.
> *) Feature: the $connection_time variable.
> *) Workaround: "gzip filter failed to use preallocated memory" alerts
> appeared in logs when using zlib-ng.
> Changes with nginx 1.19.9
> *) Bugfix: nginx could not be built with the mail proxy module, but
> without the ngx_mail_ssl_module; the bug had appeared in 1.19.8.
> *) Bugfix: "upstream sent response body larger than indicated content
> length" errors might occur when working with gRPC backends; the bug
> had appeared in 1.19.1.
> *) Bugfix: nginx might not close a connection till keepalive timeout
> expiration if the connection was closed by the client while
> discarding the request body.
> *) Bugfix: nginx might not detect that a connection was already closed
> by the client when waiting for auth_delay or limit_req delay, or when
> working with backends.
> *) Bugfix: in the eventport method.
> Changes with nginx 1.19.8
> *) Feature: flags in the "proxy_cookie_flags" directive can now contain
> variables.
> *) Feature: the "proxy_protocol" parameter of the "listen" directive,
> the "proxy_protocol" and "set_real_ip_from" directives in mail proxy.
> *) Bugfix: HTTP/2 connections were immediately closed when using
> "keepalive_timeout 0"; the bug had appeared in 1.19.7.
> *) Bugfix: some errors were logged as unknown if nginx was built with
> glibc 2.32.
> *) Bugfix: in the eventport method.
> Changes with nginx 1.19.7
> *) Change: connections handling in HTTP/2 has been changed to better
> match HTTP/1.x; the "http2_recv_timeout", "http2_idle_timeout", and
> "http2_max_requests" directives have been removed, the
> "keepalive_timeout" and "keepalive_requests" directives should be
> used instead.
> *) Change: the "http2_max_field_size" and "http2_max_header_size"
> directives have been removed, the "large_client_header_buffers"
> directive should be used instead.
> *) Feature: now, if free worker connections are exhausted, nginx starts
> closing not only keepalive connections, but also connections in
> lingering close.
> *) Bugfix: "zero size buf in output" alerts might appear in logs if an
> upstream server returned an incorrect response during unbuffered
> proxying; the bug had appeared in 1.19.1.
> *) Bugfix: HEAD requests were handled incorrectly if the "return"
> directive was used with the "image_filter" or "xslt_stylesheet"
> directives.
> *) Bugfix: in the "add_trailer" directive.
> Changes with nginx 1.19.6
> *) Bugfix: "no live upstreams" errors if a "server" inside "upstream"
> block was marked as "down".
> *) Bugfix: a segmentation fault might occur in a worker process if HTTPS
> was used; the bug had appeared in 1.19.5.
> *) Bugfix: nginx returned the 400 response on requests like
> "GET http://example.com?args HTTP/1.0".
> *) Bugfix: in the ngx_http_flv_module and ngx_http_mp4_module.
> Thanks to Chris Newton.
> Changes with nginx 1.19.5
> *) Feature: the -e switch.
> *) Feature: the same source files can now be specified in different
> modules while building addon modules.
> *) Bugfix: SSL shutdown did not work when lingering close was used.
> *) Bugfix: "upstream sent frame for closed stream" errors might occur
> when working with gRPC backends.
> *) Bugfix: in request body filters internal API.
> Changes with nginx 1.19.4
> *) Feature: the "ssl_conf_command", "proxy_ssl_conf_command",
> "grpc_ssl_conf_command", and "uwsgi_ssl_conf_command" directives.
> *) Feature: the "ssl_reject_handshake" directive.
> *) Feature: the "proxy_smtp_auth" directive in mail proxy.
> Changes with nginx 1.19.3
> *) Feature: the ngx_stream_set_module.
> *) Feature: the "proxy_cookie_flags" directive.
> *) Feature: the "userid_flags" directive.
> *) Bugfix: the "stale-if-error" cache control extension was erroneously
> applied if backend returned a response with status code 500, 502,
> 503, 504, 403, 404, or 429.
> *) Bugfix: "[crit] cache file ... has too long header" messages might
> appear in logs if caching was used and the backend returned responses
> with the "Vary" header line.
> *) Workaround: "[crit] SSL_write() failed" messages might appear in logs
> when using OpenSSL 1.1.1.
> *) Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages
> might appear in logs; the bug had appeared in 1.19.2.
> *) Bugfix: a segmentation fault might occur in a worker process when
> using HTTP/2 if errors with code 400 were redirected to a proxied
> location using the "error_page" directive.
> *) Bugfix: socket leak when using HTTP/2 and subrequests in the njs
> module.
>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> lfs/nginx | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lfs/nginx b/lfs/nginx
> index a624ca44e..994ede775 100644
> --- a/lfs/nginx
> +++ b/lfs/nginx
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -25,7 +25,7 @@
> include Config
>
> SUMMARY = A HTTP server and IMAP/POP3 proxy server
> -VER = 1.20.2
> +VER = 1.21.6
>
> THISAPP = nginx-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -47,7 +47,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = \
> dc2fb9e7316ccac433c1f06c59d2738358c16194fe0ece80f54d145e2c4e3c3a8d6ebc4badb97580a000d721197a865bcc8c94a4d671af94be4bc3181974c586
> +$(DL_FILE)_BLAKE2 = \
> 815d035df33bd947eec41a2f5c993d1f179aa0bd4d069280916aa089a2f96fd3bada7a7192b4a0ef7b8f43036f3a2def0e93d8c8f720dd7145a5d55ea058652f
>
> install : $(TARGET)
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic