nginx Changelog

New in version 1.7.8

December 2nd, 2014
  • Change: now the "If-Modified-Since", "If-Range", etc. client request header lines are passed to a backend while caching if nginx knows in advance that the response will not be cached (e.g., when using proxy_cache_min_uses).
  • Change: now after proxy_cache_lock_timeout nginx sends a request to a backend with caching disabled; the new directives "proxy_cache_lock_age", "fastcgi_cache_lock_age", "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time after which the lock will be released and another attempt to cache a response will be made.
  • Change: the "log_format" directive can now be used only at http level.
  • Feature: the "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_password_file", "uwsgi_ssl_certificate", "uwsgi_ssl_certificate_key", and "uwsgi_ssl_password_file" directives. Thanks to Piotr Sikora.
  • Feature: it is now possible to switch to a named location using "X-Accel-Redirect". Thanks to Toshikuni Fukaya.
  • Feature: now the "tcp_nodelay" directive works with SPDY connections.
  • Feature: new directives in vim syntax highliting scripts. Thanks to Peter Wu.
  • Bugfix: nginx ignored the "s-maxage" value in the "Cache-Control" backend response header line. Thanks to Piotr Sikora.
  • Bugfix: in the ngx_http_spdy_module. Thanks to Piotr Sikora.
  • Bugfix: in the "ssl_password_file" directive when using OpenSSL 0.9.8zc, 1.0.0o, 1.0.1j.
  • Bugfix: alerts "header already sent" appeared in logs if the "post_action" directive was used; the bug had appeared in 1.5.4.
  • Bugfix: alerts "the http output chain is empty" might appear in logs if the "postpone_output 0" directive was used with SSI includes.
  • Bugfix: in the "proxy_cache_lock" directive with SSI subrequests. Thanks to Yichun Zhang.

New in version 1.6.2 (September 16th, 2014)

  • Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616). Thanks to Antoine Delignat-Lavaud.
  • Bugfix: requests might hang if resolver was used and a DNS server returned a malformed response; the bug had appeared in 1.5.8.
  • Bugfix: requests might hang if resolver was used and a timeout occurred during a DNS request.

New in version 1.6.1 (August 5th, 2014)

  • Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6. Thanks to Chris Boulton.
  • Bugfix: the $uri variable might contain garbage when returning errors with code 400. Thanks to Sergey Bobrov.
  • Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug had appeared in 1.5.6. Thanks to Svyatoslav Nikolsky.

New in version 1.6.0 (April 24th, 2014)

  • This stable version incorporates many new features from the 1.5.x mainline branch - including various SSL improvements, SPDY 3.1 support, cache revalidation with conditional requests, auth request module and more.

New in version 1.4.7 (March 19th, 2014)

  • Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133). Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina.
  • Bugfix: in the "fastcgi_next_upstream" directive. Thanks to Lucas Molas.

New in version 1.4.6 (March 6th, 2014)

  • Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9. Thanks to Lucas Molas.
  • Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections.

New in version 1.4.5 (February 12th, 2014)

  • Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id. Thanks to Ivan Ristić.
  • Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15.
  • Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used.
  • Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used.
  • Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding.
  • Bugfix: memory leak in nginx/Windows.

New in version 1.4.4 (November 20th, 2013)

  • This release introduces a fix for the request line parsing vulnerability in nginx 0.8.41 - 1.5.6 discovered by Ivan Fratric of the Google Security Team (CVE-2013-4547).

New in version 1.5.0 (May 8th, 2013)

  • Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs.