Log message:
Update to latest stable. Resolves CVE-2014-3616. From CHANGELOG:
Changes with nginx 1.8.0 21 Apr 2015
*) 1.8.x stable branch.
Changes with nginx 1.7.12 07 Apr 2015
*) Feature: now the "tcp_nodelay" directive works with backend SSL
connections.
*) Feature: now thread pools can be used to read cache file headers.
*) Bugfix: in the "proxy_request_buffering" directive.
*) Bugfix: a segmentation fault might occur in a worker process when
using thread pools on Linux.
*) Bugfix: in error handling when using the "ssl_stapling" directive.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.7.11 24 Mar 2015
*) Change: the "sendfile" parameter of the "aio" directive is
deprecated; now nginx automatically uses AIO to pre-load data for
sendfile if both "aio" and "sendfile" directives are used.
*) Feature: experimental thread pools support.
*) Feature: the "proxy_request_buffering", \
"fastcgi_request_buffering",
"scgi_request_buffering", and \
"uwsgi_request_buffering" directives.
*) Feature: request body filters experimental API.
*) Feature: client SSL certificates support in mail proxy.
*) Feature: startup speedup when using the "hash ... consistent"
directive in the upstream block.
*) Feature: debug logging into a cyclic memory buffer.
*) Bugfix: in hash table handling.
*) Bugfix: in the "proxy_cache_revalidate" directive.
*) Bugfix: SSL connections might hang if deferred accept or the
"proxy_protocol" parameter of the "listen" directive \
were used.
*) Bugfix: the $upstream_response_time variable might contain a wrong
value if the "image_filter" directive was used.
*) Bugfix: in integer overflow handling.
*) Bugfix: it was not possible to enable SSLv3 with LibreSSL.
*) Bugfix: the "ignoring stale global SSL error ... called a function
you should not call" alerts appeared in logs when using LibreSSL.
*) Bugfix: certificates specified by the "ssl_client_certificate" and
"ssl_trusted_certificate" directives were inadvertently used to
automatically construct certificate chains.
Changes with nginx 1.7.10 10 Feb 2015
*) Feature: the "use_temp_path" parameter of the \
"proxy_cache_path",
"fastcgi_cache_path", "scgi_cache_path", and \
"uwsgi_cache_path"
directives.
*) Feature: the $upstream_header_time variable.
*) Workaround: now on disk overflow nginx tries to write error logs once
a second only.
*) Bugfix: the "try_files" directive did not ignore normal files while
testing directories.
*) Bugfix: alerts "sendfile() failed" if the "sendfile" \
directive was
used on OS X; the bug had appeared in 1.7.8.
*) Bugfix: alerts "sem_post() failed" might appear in logs.
*) Bugfix: nginx could not be built with musl libc.
*) Bugfix: nginx could not be built on Tru64 UNIX.
Changes with nginx 1.7.9 23 Dec 2014
*) Feature: variables support in the "proxy_cache", \
"fastcgi_cache",
"scgi_cache", and "uwsgi_cache" directives.
*) Feature: variables support in the "expires" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
engines.
*) Feature: the "autoindex_format" directive.
*) Bugfix: cache revalidation is now only used for responses with 200
and 206 status codes.
*) Bugfix: the "TE" client request header line was passed to backends
while proxying.
*) Bugfix: the "proxy_pass", "fastcgi_pass", \
"scgi_pass", and
"uwsgi_pass" directives might not work correctly inside the \
"if" and
"limit_except" blocks.
*) Bugfix: the "proxy_store" directive with the "on" \
parameter was
ignored if the "proxy_store" directive with an explicitly specified
file path was used on a previous level.
*) Bugfix: nginx could not be built with BoringSSL.
Changes with nginx 1.7.8 02 Dec 2014
*) Change: now the "If-Modified-Since", "If-Range", etc. \
client request
header lines are passed to a backend while caching if nginx knows in
advance that the response will not be cached (e.g., when using
proxy_cache_min_uses).
*) Change: now after proxy_cache_lock_timeout nginx sends a request to a
backend with caching disabled; the new directives
"proxy_cache_lock_age", "fastcgi_cache_lock_age",
"scgi_cache_lock_age", and "uwsgi_cache_lock_age" \
specify a time
after which the lock will be released and another attempt to cache a
response will be made.
*) Change: the "log_format" directive can now be used only at http
level.
*) Feature: the "proxy_ssl_certificate", \
"proxy_ssl_certificate_key",
"proxy_ssl_password_file", "uwsgi_ssl_certificate",
"uwsgi_ssl_certificate_key", and "uwsgi_ssl_password_file"
directives.
*) Feature: it is now possible to switch to a named location using
"X-Accel-Redirect".
*) Feature: now the "tcp_nodelay" directive works with SPDY \
connections.
*) Feature: new directives in vim syntax highliting scripts.
*) Bugfix: nginx ignored the "s-maxage" value in the \
"Cache-Control"
backend response header line.
*) Bugfix: in the ngx_http_spdy_module.
*) Bugfix: in the "ssl_password_file" directive when using OpenSSL
0.9.8zc, 1.0.0o, 1.0.1j.
*) Bugfix: alerts "header already sent" appeared in logs if the
"post_action" directive was used; the bug had appeared in 1.5.4.
*) Bugfix: alerts "the http output chain is empty" might appear in logs
if the "postpone_output 0" directive was used with SSI includes.
*) Bugfix: in the "proxy_cache_lock" directive with SSI subrequests.
Changes with nginx 1.7.7 28 Oct 2014
*) Change: now nginx takes into account the "Vary" header line in a
backend response while caching.
*) Feature: the "proxy_force_ranges", "fastcgi_force_ranges",
"scgi_force_ranges", and "uwsgi_force_ranges" directives.
*) Feature: the "proxy_limit_rate", "fastcgi_limit_rate",
"scgi_limit_rate", and "uwsgi_limit_rate" directives.
*) Feature: the "Vary" parameter of the \
"proxy_ignore_headers",
"fastcgi_ignore_headers", "scgi_ignore_headers", and
"uwsgi_ignore_headers" directives.
*) Bugfix: the last part of a response received from a backend with
unbufferred proxy might not be sent to a client if "gzip" or \
"gunzip"
directives were used.
*) Bugfix: in the "proxy_cache_revalidate" directive.
*) Bugfix: in error handling.
*) Bugfix: in the "proxy_next_upstream_tries" and
"proxy_next_upstream_timeout" directives.
*) Bugfix: nginx/Windows could not be built with MinGW-w64 gcc.
Changes with nginx 1.7.6 30 Sep 2014
*) Change: the deprecated "limit_zone" directive is not supported
anymore.
*) Feature: the "limit_conn_zone" and "limit_req_zone" \
directives now
can be used with combinations of multiple variables.
*) Bugfix: request body might be transmitted incorrectly when retrying a
FastCGI request to the next upstream server.
*) Bugfix: in logging to syslog.
Changes with nginx 1.7.5 16 Sep 2014
*) Security: it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks (CVE-2014-3616).
*) Change: now the "stub_status" directive does not require a \
parameter.
*) Feature: the "always" parameter of the "add_header" \
directive.
*) Feature: the "proxy_next_upstream_tries",
"proxy_next_upstream_timeout", \
"fastcgi_next_upstream_tries",
"fastcgi_next_upstream_timeout", \
"memcached_next_upstream_tries",
"memcached_next_upstream_timeout", \
"scgi_next_upstream_tries",
"scgi_next_upstream_timeout", \
"uwsgi_next_upstream_tries", and
"uwsgi_next_upstream_timeout" directives.
*) Bugfix: in the "if" parameter of the "access_log" \
directive.
*) Bugfix: in the ngx_http_perl_module.
*) Bugfix: the "listen" directive of the mail proxy module did not \
allow
to specify more than two parameters.
*) Bugfix: the "sub_filter" directive did not work with a string to
replace consisting of a single character.
*) Bugfix: requests might hang if resolver was used and a timeout
occurred during a DNS request.
*) Bugfix: in the ngx_http_spdy_module when using with AIO.
*) Bugfix: a segmentation fault might occur in a worker process if the
"set" directive was used to change the "$http_...", \
"$sent_http_...",
or "$upstream_http_..." variables.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.7.4 05 Aug 2014
*) Security: pipelined commands were not discarded after STARTTLS
command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
*) Change: URI escaping now uses uppercase hexadecimal digits.
*) Feature: now nginx can be build with BoringSSL and LibreSSL.
*) Bugfix: requests might hang if resolver was used and a DNS server
returned a malformed response; the bug had appeared in 1.5.8.
*) Bugfix: in the ngx_http_spdy_module.
*) Bugfix: the $uri variable might contain garbage when returning errors
with code 400.
*) Bugfix: in error handling in the "proxy_store" directive and the
ngx_http_dav_module.
*) Bugfix: a segmentation fault might occur if logging of errors to
syslog was used; the bug had appeared in 1.7.1.
*) Bugfix: the $geoip_latitude, $geoip_longitude, $geoip_dma_code, and
$geoip_area_code variables might not work.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.7.3 08 Jul 2014
*) Feature: weak entity tags are now preserved on response
modifications, and strong ones are changed to weak.
*) Feature: cache revalidation now uses If-None-Match header if
possible.
*) Feature: the "ssl_password_file" directive.
*) Bugfix: the If-None-Match request header line was ignored if there
was no Last-Modified header in a response returned from cache.
*) Bugfix: "peer closed connection in SSL handshake" messages were
logged at "info" level instead of "error" while \
connecting to
backends.
*) Bugfix: in the ngx_http_dav_module module in nginx/Windows.
*) Bugfix: SPDY connections might be closed prematurely if caching was
used.
Changes with nginx 1.7.2 17 Jun 2014
*) Feature: the "hash" directive inside the "upstream" block.
*) Feature: defragmentation of free shared memory blocks.
*) Bugfix: a segmentation fault might occur in a worker process if the
default value of the "access_log" directive was used; the bug had
appeared in 1.7.0.
*) Bugfix: trailing slash was mistakenly removed from the last parameter
of the "try_files" directive.
*) Bugfix: nginx could not be built on OS X in some cases.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.7.1 27 May 2014
*) Feature: the "$upstream_cookie_..." variables.
*) Feature: the $ssl_client_fingerprint variable.
*) Feature: the "error_log" and "access_log" directives \
now support
logging to syslog.
*) Feature: the mail proxy now logs client port on connect.
*) Bugfix: memory leak if the "ssl_stapling" directive was used.
*) Bugfix: the "alias" directive used inside a location given by a
regular expression worked incorrectly if the "if" or \
"limit_except"
directives were used.
*) Bugfix: the "charset" directive did not set a charset to encoded
backend responses.
*) Bugfix: a "proxy_pass" directive without URI part might use original
request after the $args variable was set.
*) Bugfix: in the "none" parameter in the "smtp_auth" \
directive; the bug
had appeared in 1.5.6.
*) Bugfix: if sub_filter and SSI were used together, then responses
might be transferred incorrectly.
*) Bugfix: nginx could not be built with the --with-file-aio option on
Linux/aarch64.
Changes with nginx 1.7.0 24 Apr 2014
*) Feature: backend SSL certificate verification.
*) Feature: support for SNI while working with SSL backends.
*) Feature: the $ssl_server_name variable.
*) Feature: the "if" parameter of the "access_log" directive.
|