Update to latest stable. Resolves CVE-2014-3616. From CHANGELOG:
Changes with nginx 1.8.0 21 Apr 2015
*) 1.8.x stable branch.
Changes with nginx 1.7.12 07 Apr 2015
*) Feature: now the "tcp_nodelay" directive works with backend SSL
connections.
*) Feature: now thread pools can be used to read cache file headers.
*) Bugfix: in the "proxy_request_buffering" directive.
*) Bugfix: a segmentation fault might occur in a worker process when
using thread pools on Linux.
*) Bugfix: in error handling when using the "ssl_stapling" directive.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.7.11 24 Mar 2015
*) Change: the "sendfile" parameter of the "aio" directive is
deprecated; now nginx automatically uses AIO to pre-load data for
sendfile if both "aio" and "sendfile" directives are used.
*) Feature: experimental thread pools support.
*) Feature: the "proxy_request_buffering", "fastcgi_request_buffering",
"scgi_request_buffering", and "uwsgi_request_buffering" directives.
*) Feature: request body filters experimental API.
*) Feature: client SSL certificates support in mail proxy.
*) Feature: startup speedup when using the "hash ... consistent"
directive in the upstream block.
*) Feature: debug logging into a cyclic memory buffer.
*) Bugfix: in hash table handling.
*) Bugfix: in the "proxy_cache_revalidate" directive.
*) Bugfix: SSL connections might hang if deferred accept or the
"proxy_protocol" parameter of the "listen" directive were used.
*) Bugfix: the $upstream_response_time variable might contain a wrong
value if the "image_filter" directive was used.
*) Bugfix: in integer overflow handling.
*) Bugfix: it was not possible to enable SSLv3 with LibreSSL.
*) Bugfix: the "ignoring stale global SSL error ... called a function
you should not call" alerts appeared in logs when using LibreSSL.
*) Bugfix: certificates specified by the "ssl_client_certificate" and
"ssl_trusted_certificate" directives were inadvertently used to
automatically construct certificate chains.
Changes with nginx 1.7.10 10 Feb 2015
*) Feature: the "use_temp_path" parameter of the "proxy_cache_path",
"fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path"
directives.
*) Feature: the $upstream_header_time variable.
*) Workaround: now on disk overflow nginx tries to write error logs once
a second only.
*) Bugfix: the "try_files" directive did not ignore normal files while
testing directories.
*) Bugfix: alerts "sendfile() failed" if the "sendfile" directive was
used on OS X; the bug had appeared in 1.7.8.
*) Bugfix: alerts "sem_post() failed" might appear in logs.
*) Bugfix: nginx could not be built with musl libc.
*) Bugfix: nginx could not be built on Tru64 UNIX.
Changes with nginx 1.7.9 23 Dec 2014
*) Feature: variables support in the "proxy_cache", "fastcgi_cache",
"scgi_cache", and "uwsgi_cache" directives.
*) Feature: variables support in the "expires" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
engines.
*) Feature: the "autoindex_format" directive.
*) Bugfix: cache revalidation is now only used for responses with 200
and 206 status codes.
*) Bugfix: the "TE" client request header line was passed to backends
while proxying.
*) Bugfix: the "proxy_pass", "fastcgi_pass", "scgi_pass", and
"uwsgi_pass" directives might not work correctly inside the "if" and
"limit_except" blocks.
*) Bugfix: the "proxy_store" directive with the "on" parameter was
ignored if the "proxy_store" directive with an explicitly specified
file path was used on a previous level.
*) Bugfix: nginx could not be built with BoringSSL.
Changes with nginx 1.7.8 02 Dec 2014
*) Change: now the "If-Modified-Since", "If-Range", etc. client request
header lines are passed to a backend while caching if nginx knows in
advance that the response will not be cached (e.g., when using
proxy_cache_min_uses).
*) Change: now after proxy_cache_lock_timeout nginx sends a request to a
backend with caching disabled; the new directives
"proxy_cache_lock_age", "fastcgi_cache_lock_age",
"scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time
after which the lock will be released and another attempt to cache a
response will be made.
*) Change: the "log_format" directive can now be used only at http
level.
*) Feature: the "proxy_ssl_certificate", "proxy_ssl_certificate_key",
"proxy_ssl_password_file", "uwsgi_ssl_certificate",
"uwsgi_ssl_certificate_key", and "uwsgi_ssl_password_file"
directives.
*) Feature: it is now possible to switch to a named location using
"X-Accel-Redirect".
*) Feature: now the "tcp_nodelay" directive works with SPDY connections.
*) Feature: new directives in vim syntax highliting scripts.
*) Bugfix: nginx ignored the "s-maxage" value in the "Cache-Control"
backend response header line.
*) Bugfix: in the ngx_http_spdy_module.
*) Bugfix: in the "ssl_password_file" directive when using OpenSSL
0.9.8zc, 1.0.0o, 1.0.1j.
*) Bugfix: alerts "header already sent" appeared in logs if the
"post_action" directive was used; the bug had appeared in 1.5.4.
*) Bugfix: alerts "the http output chain is empty" might appear in logs
if the "postpone_output 0" directive was used with SSI includes.
*) Bugfix: in the "proxy_cache_lock" directive with SSI subrequests.
Changes with nginx 1.7.7 28 Oct 2014
*) Change: now nginx takes into account the "Vary" header line in a
backend response while caching.
*) Feature: the "proxy_force_ranges", "fastcgi_force_ranges",
"scgi_force_ranges", and "uwsgi_force_ranges" directives.
*) Feature: the "proxy_limit_rate", "fastcgi_limit_rate",
"scgi_limit_rate", and "uwsgi_limit_rate" directives.
*) Feature: the "Vary" parameter of the "proxy_ignore_headers",
"fastcgi_ignore_headers", "scgi_ignore_headers", and
"uwsgi_ignore_headers" directives.
*) Bugfix: the last part of a response received from a backend with
unbufferred proxy might not be sent to a client if "gzip" or "gunzip"
directives were used.
*) Bugfix: in the "proxy_cache_revalidate" directive.
*) Bugfix: in error handling.
*) Bugfix: in the "proxy_next_upstream_tries" and
"proxy_next_upstream_timeout" directives.
*) Bugfix: nginx/Windows could not be built with MinGW-w64 gcc.
Changes with nginx 1.7.6 30 Sep 2014
*) Change: the deprecated "limit_zone" directive is not supported
anymore.
*) Feature: the "limit_conn_zone" and "limit_req_zone" directives now
can be used with combinations of multiple variables.
*) Bugfix: request body might be transmitted incorrectly when retrying a
FastCGI request to the next upstream server.
*) Bugfix: in logging to syslog.
Changes with nginx 1.7.5 16 Sep 2014
*) Security: it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks (CVE-2014-3616).
*) Change: now the "stub_status" directive does not require a parameter.
*) Feature: the "always" parameter of the "add_header" directive.
*) Feature: the "proxy_next_upstream_tries",
"proxy_next_upstream_timeout", "fastcgi_next_upstream_tries",
"fastcgi_next_upstream_timeout", "memcached_next_upstream_tries",
"memcached_next_upstream_timeout", "scgi_next_upstream_tries",
"scgi_next_upstream_timeout", "uwsgi_next_upstream_tries", and
"uwsgi_next_upstream_timeout" directives.
*) Bugfix: in the "if" parameter of the "access_log" directive.
*) Bugfix: in the ngx_http_perl_module.
*) Bugfix: the "listen" directive of the mail proxy module did not allow
to specify more than two parameters.
*) Bugfix: the "sub_filter" directive did not work with a string to
replace consisting of a single character.
*) Bugfix: requests might hang if resolver was used and a timeout
occurred during a DNS request.
*) Bugfix: in the ngx_http_spdy_module when using with AIO.
*) Bugfix: a segmentation fault might occur in a worker process if the
"set" directive was used to change the "$http_...", "$sent_http_...",
or "$upstream_http_..." variables.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.7.4 05 Aug 2014
*) Security: pipelined commands were not discarded after STARTTLS
command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
*) Change: URI escaping now uses uppercase hexadecimal digits.
*) Feature: now nginx can be build with BoringSSL and LibreSSL.
*) Bugfix: requests might hang if resolver was used and a DNS server
returned a malformed response; the bug had appeared in 1.5.8.
*) Bugfix: in the ngx_http_spdy_module.
*) Bugfix: the $uri variable might contain garbage when returning errors
with code 400.
*) Bugfix: in error handling in the "proxy_store" directive and the
ngx_http_dav_module.
*) Bugfix: a segmentation fault might occur if logging of errors to
syslog was used; the bug had appeared in 1.7.1.
*) Bugfix: the $geoip_latitude, $geoip_longitude, $geoip_dma_code, and
$geoip_area_code variables might not work.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.7.3 08 Jul 2014
*) Feature: weak entity tags are now preserved on response
modifications, and strong ones are changed to weak.
*) Feature: cache revalidation now uses If-None-Match header if
possible.
*) Feature: the "ssl_password_file" directive.
*) Bugfix: the If-None-Match request header line was ignored if there
was no Last-Modified header in a response returned from cache.
*) Bugfix: "peer closed connection in SSL handshake" messages were
logged at "info" level instead of "error" while connecting to
backends.
*) Bugfix: in the ngx_http_dav_module module in nginx/Windows.
*) Bugfix: SPDY connections might be closed prematurely if caching was
used.
Changes with nginx 1.7.2 17 Jun 2014
*) Feature: the "hash" directive inside the "upstream" block.
*) Feature: defragmentation of free shared memory blocks.
*) Bugfix: a segmentation fault might occur in a worker process if the
default value of the "access_log" directive was used; the bug had
appeared in 1.7.0.
*) Bugfix: trailing slash was mistakenly removed from the last parameter
of the "try_files" directive.
*) Bugfix: nginx could not be built on OS X in some cases.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.7.1 27 May 2014
*) Feature: the "$upstream_cookie_..." variables.
*) Feature: the $ssl_client_fingerprint variable.
*) Feature: the "error_log" and "access_log" directives now support
logging to syslog.
*) Feature: the mail proxy now logs client port on connect.
*) Bugfix: memory leak if the "ssl_stapling" directive was used.
*) Bugfix: the "alias" directive used inside a location given by a
regular expression worked incorrectly if the "if" or "limit_except"
directives were used.
*) Bugfix: the "charset" directive did not set a charset to encoded
backend responses.
*) Bugfix: a "proxy_pass" directive without URI part might use original
request after the $args variable was set.
*) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug
had appeared in 1.5.6.
*) Bugfix: if sub_filter and SSI were used together, then responses
might be transferred incorrectly.
*) Bugfix: nginx could not be built with the --with-file-aio option on
Linux/aarch64.
Changes with nginx 1.7.0 24 Apr 2014
*) Feature: backend SSL certificate verification.
*) Feature: support for SNI while working with SSL backends.
*) Feature: the $ssl_server_name variable.
*) Feature: the "if" parameter of the "access_log" directive.
(rodent)
diff -r1.58 -r1.59 pkgsrc/www/nginx/Makefile| @@ -1,7 +1,6 @@ | @@ -1,7 +1,6 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.58 2015/06/12 10:51:51 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.59 2015/06/26 13:46:53 rodent Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= nginx-1.6.2 | 3 | DISTNAME= nginx-1.8.0 | |
| 4 | MAINTAINER= joerg@NetBSD.org | 4 | MAINTAINER= joerg@NetBSD.org | |
| 5 | 5 | |||
| 6 | PKGREVISION= 1 | |||
| 7 | .include "../../www/nginx/Makefile.common" | 6 | .include "../../www/nginx/Makefile.common" |
| @@ -1,40 +1,7 @@ | @@ -1,40 +1,7 @@ | |||
| 1 | $NetBSD: distinfo,v 1.44 2014/09/24 05:42:48 kim Exp $ | 1 | $NetBSD: distinfo,v 1.45 2015/06/26 13:46:53 rodent Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (array-var-nginx-module-0.03.tar.gz) = b2666aa3c092060fcd3931a6d45798a5745c1ad6 | 3 | SHA1 (nginx-1.8.0.tar.gz) = 12bad312764feae50246685ab2e74512d1aa9b2f | |
| 4 | RMD160 (array-var-nginx-module-0.03.tar.gz) = 171c2d9bd02d7a7ede9f87ab348ef035cea14aec | 4 | RMD160 (nginx-1.8.0.tar.gz) = 9af62e81b42e572615f59fcedb222e9d6ad96b53 | |
| 5 | Size (array-var-nginx-module-0.03.tar.gz) = 9520 bytes | 5 | Size (nginx-1.8.0.tar.gz) = 832104 bytes | |
| 6 | SHA1 (echo-nginx-module-0.51.tar.gz) = 127d011f146a7e611f328cd4f2f29cdde1227f07 | |||
| 7 | RMD160 (echo-nginx-module-0.51.tar.gz) = 79bb11c34735381a5a90176eb4d07dec8b469ab4 | |||
| 8 | Size (echo-nginx-module-0.51.tar.gz) = 63460 bytes | |||
| 9 | SHA1 (encrypted-session-nginx-module-0.03.tar.gz) = b33a74b83a200299fe80a2441b4cc014fab02a6a | |||
| 10 | RMD160 (encrypted-session-nginx-module-0.03.tar.gz) = 89cab2054f95e1017c109238d399afe23ce499e6 | |||
| 11 | Size (encrypted-session-nginx-module-0.03.tar.gz) = 8949 bytes | |||
| 12 | SHA1 (form-input-nginx-module-0.07.tar.gz) = 4f68ad4b6b19f313582523585aee4e4473666ea3 | |||
| 13 | RMD160 (form-input-nginx-module-0.07.tar.gz) = 1d543c15c1ced82497987b7fd71d79d7c818b9bf | |||
| 14 | Size (form-input-nginx-module-0.07.tar.gz) = 10563 bytes | |||
| 15 | SHA1 (headers-more-nginx-module-0.25.tar.gz) = 514bc3df30b24eb0a06533f1ebaa579b898990f5 | |||
| 16 | RMD160 (headers-more-nginx-module-0.25.tar.gz) = 8270edae05b2cf24f1d46fb1b217d4943bf56372 | |||
| 17 | Size (headers-more-nginx-module-0.25.tar.gz) = 27973 bytes | |||
| 18 | SHA1 (lua-nginx-module-0.9.5.tar.gz) = c9c752461f407ccae40870d4cabfbf2bd8c81bac | |||
| 19 | RMD160 (lua-nginx-module-0.9.5.tar.gz) = 180331a69680278bac26f0a9ccd0de52fd88a7ea | |||
| 20 | Size (lua-nginx-module-0.9.5.tar.gz) = 476124 bytes | |||
| 21 | SHA1 (naxsi-0.53-2.tar.gz) = e29101b3193f434e4ec503671c41d0bacc64ff39 | |||
| 22 | RMD160 (naxsi-0.53-2.tar.gz) = 198ff9d2faf55ce3ed72332615f9e555e3afc155 | |||
| 23 | Size (naxsi-0.53-2.tar.gz) = 165690 bytes | |||
| 24 | SHA1 (nginx-1.6.2.tar.gz) = 1a5458bc15acf90eea16353a1dd17285cf97ec35 | |||
| 25 | RMD160 (nginx-1.6.2.tar.gz) = 58704be748781db2bcd67e5bad842f5ff8c55326 | |||
| 26 | Size (nginx-1.6.2.tar.gz) = 804164 bytes | |||
| 27 | SHA1 (nginx_http_push_module-0.692.tar.gz) = 72103084cad8f4d3d9a49a6b04cf780e4541605d | |||
| 28 | RMD160 (nginx_http_push_module-0.692.tar.gz) = 9d2be16074cf28115af0f1d8f3646937cda649ad | |||
| 29 | Size (nginx_http_push_module-0.692.tar.gz) = 29119 bytes | |||
| 30 | SHA1 (nginx_upload_module-2.2.0.tar.gz) = 93d6e83e613a0ce2ed057a434b344fa1b6609b47 | |||
| 31 | RMD160 (nginx_upload_module-2.2.0.tar.gz) = 5734af837be3fe8ec444a7e5e7f6707118594098 | |||
| 32 | Size (nginx_upload_module-2.2.0.tar.gz) = 25796 bytes | |||
| 33 | SHA1 (ngx_devel_kit-0.2.19.tar.gz) = 888635e80a8a0e6242b8e9b684ff60ffa70845a2 | |||
| 34 | RMD160 (ngx_devel_kit-0.2.19.tar.gz) = 64d3737bc4cc948c1363cce80d70e5260878811e | |||
| 35 | Size (ngx_devel_kit-0.2.19.tar.gz) = 65029 bytes | |||
| 36 | SHA1 (set-misc-nginx-module-0.24.tar.gz) = da404a7dac5fa4a0a86f42b4ec7648b607f4cd66 | |||
| 37 | RMD160 (set-misc-nginx-module-0.24.tar.gz) = 07d0bb8f2a0840534a82a2d18394163342393cef | |||
| 38 | Size (set-misc-nginx-module-0.24.tar.gz) = 40397 bytes | |||
| 39 | SHA1 (patch-aa) = 47f0c19b47b115f00ea6e9432d5bb12058c3bc1c | 6 | SHA1 (patch-aa) = 47f0c19b47b115f00ea6e9432d5bb12058c3bc1c | |
| 40 | SHA1 (patch-ab) = 0925a163db1ec36142fc3c32545f0abc1c5545c8 | 7 | SHA1 (patch-ab) = 0925a163db1ec36142fc3c32545f0abc1c5545c8 |