---
- branch: MAIN
  date: Wed Oct 19 14:10:25 UTC 2022
  files:
  - new: '1.91'
    old: '1.90'
    path: pkgsrc/www/nginx-devel/Makefile
    pathrev: pkgsrc/www/nginx-devel/Makefile@1.91
    type: modified
  - new: '1.85'
    old: '1.84'
    path: pkgsrc/www/nginx-devel/distinfo
    pathrev: pkgsrc/www/nginx-devel/distinfo@1.85
    type: modified
  id: 20221019T141025Z.60059ffb6cadaf29e36c72dfd91ee3be27a661b2
  log: |
    www/nginx-devel: security update 1.23.1 -> 1.23.2

    <ChangeLog>

    *) Security: processing of a specially crafted mp4 file by the
       ngx_http_mp4_module might cause a worker process crash, worker
       process memory disclosure, or might have potential other impact
       (CVE-2022-41741, CVE-2022-41742).

    *) Feature: the "$proxy_protocol_tlv_..." variables.

    *) Feature: TLS session tickets encryption keys are now automatically
       rotated when using shared memory in the "ssl_session_cache"
       directive.

    *) Change: the logging level of the "bad record type" SSL errors has
       been lowered from "crit" to "info".
       Thanks to Murilo Andrade.

    *) Change: now when using shared memory in the "ssl_session_cache"
       directive the "could not allocate new session" errors are logged at
       the "warn" level instead of "alert" and not more often than once per
       second.

    *) Bugfix: nginx/Windows could not be built with OpenSSL 3.0.x.

    *) Bugfix: in logging of the PROXY protocol errors.
       Thanks to Sergey Brester.

    *) Workaround: shared memory from the "ssl_session_cache" directive was
       spent on sessions using TLS session tickets when using TLSv1.3 with
       OpenSSL.

    *) Workaround: timeout specified with the "ssl_session_timeout"
       directive did not work when using TLSv1.3 with OpenSSL or BoringSSL.

    </ChangeLog>
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/nginx-devel'
  unixtime: '1666188625'
  user: osa