Softpedia >Linux >Internet >Proxy >nginx >  Changelog

nginx Changelog

What's new in nginx 1.17.3

Aug 16, 2019
  • Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
  • Bugfix: "zero size buf" alerts might appear in logs when using gzipping; the bug had appeared in 1.17.2.
  • Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used in SMTP proxy.

New in nginx 1.15.6 (Nov 8, 2018)

  • Security: when using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
  • Security: processing of a specially crafted mp4 file with the ngx_http_mp4_module might result in worker process memory disclosure (CVE-2018-16845).
  • Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive", "grpc_socket_keepalive", "memcached_socket_keepalive", "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.
  • Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled.
  • Bugfix: working with gRPC backends might result in excessive memory consumption.

New in nginx 1.12.0 (Apr 12, 2017)

  • nginx-1.12.0 stable version has been released, incorporating new features and bug fixes from the 1.11.x mainline branch - including variables support and other improvements in the stream module, HTTP/2 fixes, support for multiple SSL certificates of different types, improved dynamic modules support, and more.

New in nginx 1.11.1 (Jun 29, 2016)

  • Security: a segmentation fault might occur in a worker process while writing a specially crafted request body to a temporary file (CVE-2016-4450); the bug had appeared in 1.3.9.

New in nginx 1.11.0 (May 25, 2016)

  • Feature: the "transparent" parameter of the "proxy_bind", - "fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" - directives.
  • Feature: the $request_id variable.
  • Feature: the "map" directive supports combinations of multiple - variables as resulting values.
  • Feature: now nginx checks if EPOLLRDHUP events are supported by - kernel, and optimizes connection handling accordingly if the "epoll" - method is used.
  • Feature: the "ssl_certificate" and "ssl_certificate_key" directives - can be specified multiple times to load certificates of different - types (for example, RSA and ECDSA).
  • Feature: the "ssl_ecdh_curve" directive now allows specifying a list - of curves when using OpenSSL 1.0.2 or newer; by default a list built - into OpenSSL is used.
  • Change: to use DHE ciphers it is now required to specify parameters - using the "ssl_dhparam" directive.
  • Feature: the $proxy_protocol_port variable.
  • Feature: the $realip_remote_port variable in the - ngx_http_realip_module.
  • Feature: the ngx_http_realip_module is now able to set the client - port in addition to the address.
  • Change: the "421 Misdirected Request" response now used when - rejecting requests to a virtual server different from one negotiated - during an SSL handshake; this improves interoperability with some - HTTP/2 clients when using client certificates.
  • Change: HTTP/2 clients can now start sending request body - immediately; the "http2_body_preread_size" directive controls size of - the buffer used before nginx will start reading client request body.
  • Bugfix: cached error responses were not updated when using the - "proxy_cache_bypass" directive.

New in nginx 1.10.0 (Apr 26, 2016)

  • Incorporates new features from the 1.9.x mainline branch - including the stream module, HTTP/2, dynamic modules support and more.

New in nginx 1.8.1 (Jan 28, 2016)

  • Security: invalid pointer dereference might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause segmentation fault in a worker process (CVE-2016-0742).
  • Security: use-after-free condition might occur during CNAME response processing if the "resolver" directive was used, allowing an attacker who is able to trigger name resolution to cause segmentation fault in a worker process, or might have potential other impact (CVE-2016-0746).
  • Security: CNAME resolution was insufficiently limited if the "resolver" directive was used, allowing an attacker who is able to trigger arbitrary name resolution to cause excessive resource consumption in worker processes (CVE-2016-0747).
  • Bugfix: the "proxy_protocol" parameter of the "listen" directive did not work if not specified in the first "listen" directive for a listen socket.
  • Bugfix: nginx might fail to start on some old Linux variants; the bug had appeared in 1.7.11.
  • Bugfix: a segmentation fault might occur in a worker process if the "try_files" and "alias" directives were used inside a location given by a regular expression; the bug had appeared in 1.7.1.
  • Bugfix: the "try_files" directive inside a nested location given by a regular expression worked incorrectly if the "alias" directive was used in the outer location.
  • Bugfix: "header already sent" alerts might appear in logs when using cache; the bug had appeared in 1.7.5.
  • Bugfix: a segmentation fault might occur in a worker process if different ssl_session_cache settings were used in different virtual servers.
  • Bugfix: the "expires" directive might not work when using variables.
  • Bugfix: if nginx was built with the ngx_http_spdy_module it was possible to use the SPDY protocol even if the "spdy" parameter of the "listen" directive was not specified.

New in nginx 1.8.0 (Apr 22, 2015)

  • Includes many new features from the 1.7.x mainline branch - including hash load balancing method, backend SSL certificate verification, experimental thread pools support, proxy_request_buffering and more.

New in nginx 1.6.3 (Apr 8, 2015)

  • Feature: now the "tcp_nodelay" directive works with SPDY connections.
  • Bugfix: in error handling. Thanks to Yichun Zhang and Daniil Bondarev.
  • Bugfix: alerts "header already sent" appeared in logs if the "post_action" directive was used; the bug had appeared in 1.5.4.
  • Bugfix: alerts "sem_post() failed" might appear in logs.
  • Bugfix: in hash table handling. Thanks to Chris West.
  • Bugfix: in integer overflow handling. Thanks to Régis Leroy.

New in nginx 1.7.8 (Dec 2, 2014)

  • Change: now the "If-Modified-Since", "If-Range", etc. client request header lines are passed to a backend while caching if nginx knows in advance that the response will not be cached (e.g., when using proxy_cache_min_uses).
  • Change: now after proxy_cache_lock_timeout nginx sends a request to a backend with caching disabled; the new directives "proxy_cache_lock_age", "fastcgi_cache_lock_age", "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time after which the lock will be released and another attempt to cache a response will be made.
  • Change: the "log_format" directive can now be used only at http level.
  • Feature: the "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_password_file", "uwsgi_ssl_certificate", "uwsgi_ssl_certificate_key", and "uwsgi_ssl_password_file" directives. Thanks to Piotr Sikora.
  • Feature: it is now possible to switch to a named location using "X-Accel-Redirect". Thanks to Toshikuni Fukaya.
  • Feature: now the "tcp_nodelay" directive works with SPDY connections.
  • Feature: new directives in vim syntax highliting scripts. Thanks to Peter Wu.
  • Bugfix: nginx ignored the "s-maxage" value in the "Cache-Control" backend response header line. Thanks to Piotr Sikora.
  • Bugfix: in the ngx_http_spdy_module. Thanks to Piotr Sikora.
  • Bugfix: in the "ssl_password_file" directive when using OpenSSL 0.9.8zc, 1.0.0o, 1.0.1j.
  • Bugfix: alerts "header already sent" appeared in logs if the "post_action" directive was used; the bug had appeared in 1.5.4.
  • Bugfix: alerts "the http output chain is empty" might appear in logs if the "postpone_output 0" directive was used with SSI includes.
  • Bugfix: in the "proxy_cache_lock" directive with SSI subrequests. Thanks to Yichun Zhang.

New in nginx 1.6.2 (Sep 16, 2014)

  • Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616). Thanks to Antoine Delignat-Lavaud.
  • Bugfix: requests might hang if resolver was used and a DNS server returned a malformed response; the bug had appeared in 1.5.8.
  • Bugfix: requests might hang if resolver was used and a timeout occurred during a DNS request.

New in nginx 1.6.1 (Aug 5, 2014)

  • Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6. Thanks to Chris Boulton.
  • Bugfix: the $uri variable might contain garbage when returning errors with code 400. Thanks to Sergey Bobrov.
  • Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug had appeared in 1.5.6. Thanks to Svyatoslav Nikolsky.

New in nginx 1.6.0 (Apr 24, 2014)

  • This stable version incorporates many new features from the 1.5.x mainline branch - including various SSL improvements, SPDY 3.1 support, cache revalidation with conditional requests, auth request module and more.

New in nginx 1.4.7 (Mar 19, 2014)

  • Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133). Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina.
  • Bugfix: in the "fastcgi_next_upstream" directive. Thanks to Lucas Molas.

New in nginx 1.4.6 (Mar 6, 2014)

  • Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9. Thanks to Lucas Molas.
  • Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections.

New in nginx 1.4.5 (Feb 12, 2014)

  • Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id. Thanks to Ivan Ristić.
  • Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15.
  • Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used.
  • Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used.
  • Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding.
  • Bugfix: memory leak in nginx/Windows.

New in nginx 1.4.4 (Nov 20, 2013)

  • This release introduces a fix for the request line parsing vulnerability in nginx 0.8.41 - 1.5.6 discovered by Ivan Fratric of the Google Security Team (CVE-2013-4547).

New in nginx 1.5.0 (May 8, 2013)

  • Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs.

New in nginx 1.3.15 (Apr 2, 2013)

  • Change: opening and closing a connection without sending any data in it is no longer logged to access_log with 400 error code.
  • Feature: the ngx_http_spdy_module. Thanks to Automattic for sponsoring this work.
  • Feature: the "limit_req_status" and "limit_conn_status" directives. Thanks to Nick Marden.
  • Feature: the "image_filter_interlace" directive. Thanks to Ian Babrou.
  • Feature: $connections_waiting variable in the ngx_http_stub_status_module.
  • Feature: the mail proxy module now supports IPv6 backends.
  • Bugfix: request body might be transmitted incorrectly when retrying a request to a next upstream server; the bug had appeared in 1.3.9. Thanks to Piotr Sikora.
  • Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9.
  • Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing. Thanks to Lanshun Zhou.
  • Bugfix: in backend usage accounting.

New in nginx 1.2.8 (Apr 2, 2013)

  • Bugfix: new sessions were not always stored if the "ssl_session_cache shared" directive was used and there was no free space in shared memory. Thanks to Piotr Sikora.
  • Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing. Thanks to Lanshun Zhou.
  • Bugfix: in the ngx_http_mp4_module. Thanks to Gernot Vormayr.
  • Bugfix: in backend usage accounting.

New in nginx 1.2.7 (Feb 12, 2013)

  • Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order.
  • Change: the "add_header" directive adds headers to 201 responses.
  • Feature: the "geo" directive now supports IPv6 addresses in CIDR notation.
  • Feature: the "flush" and "gzip" parameters of the "access_log" directive.
  • Feature: variables support in the "auth_basic" directive.
  • Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the "log_format" directive. Thanks to Kiril Kalchev.
  • Feature: IPv6 support in the ngx_http_geoip_module. Thanks to Gregor Kališnik.
  • Bugfix: nginx could not be built with the ngx_http_perl_module in some cases.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_xslt_module was used.
  • Bugfix: nginx could not be built on MacOSX in some cases. Thanks to Piotr Sikora.
  • Bugfix: the "limit_rate" directive with high rates might result in truncated responses on 32-bit platforms. Thanks to Alexey Antropov.
  • Bugfix: a segmentation fault might occur in a worker process if the "if" directive was used. Thanks to Piotr Sikora.
  • Bugfix: a "100 Continue" response was issued with "413 Request Entity Too Large" responses.
  • Bugfix: the "image_filter", "image_filter_jpeg_quality" and "image_filter_sharpen" directives might be inherited incorrectly. Thanks to Ian Babrou.
  • Bugfix: "crypt_r() failed" errors might appear if the "auth_basic" directive was used on Linux.
  • Bugfix: in backup servers handling. Thanks to Thomas Chen.
  • Bugfix: proxied HEAD requests might return incorrect response if the "gzip" directive was used.
  • Bugfix: a segmentation fault occurred on start or during reconfiguration if the "keepalive" directive was specified more than once in a single upstream block.
  • Bugfix: in the "proxy_method" directive.
  • Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method.
  • Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used.
  • Bugfix: the "[crit] SSL_write() failed (SSL:)" error.
  • Bugfix: in the "fastcgi_keep_conn" directive.

New in nginx 1.3.7 (Oct 8, 2012)

  • Feature: OCSP stapling support. Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work.
  • Feature: the "ssl_trusted_certificate" directive.
  • Feature: resolver now randomly rotates addresses returned from cache. Thanks to Anton Jouline.
  • Bugfix: OpenSSL 0.9.7 compatibility.

New in nginx 1.0.12 (Feb 11, 2012)

  • Feature: the "TLSv1.1" and "TLSv1.2" parameters of the"ssl_protocols" directive.
  • Feature: the "if" SSI command supports captures in regularexpressions.
  • Bugfix: the "if" SSI command did not work inside the
  • "block" command.
  • Bugfix: in AIO error handling on FreeBSD.
  • Bugfix: in the OpenSSL library initialization.
  • Bugfix: the "worker_cpu_affinity" directive might not work.
  • Bugfix: the "limit_conn_log_level" and
  • "limit_req_log_level"directives might not work.
  • Bugfix: the "read_ahead" directive might not work combined with"try_files" and "open_file_cache".
  • Bugfix: the "proxy_cache_use_stale" directive with "error"
  • parameterdid not return answer from cache if there were no live upstreams.
  • Bugfix: a segmentation fault might occur in a worker process if smalltime was used in the "inactive" parameter of the
  • "proxy_cache_path"directive.
  • Bugfix: responses from cache might hang.
  • Bugfix: in error handling while connecting to a backend.Thanks to Piotr Sikora.
  • Bugfix: in the "epoll" event method.Thanks to Yichun Zhang.
  • Bugfix: the $sent_http_cache_control variable might contain a wrongvalue if the "expires" directive was used.Thanks to Yichun Zhang.
  • Bugfix: the "limit_rate" directive did not allow to use fullthroughput, even if limit value was very high.
  • Bugfix: the "sendfile_max_chunk" directive did not work, if the"limit_rate" directive was used.
  • Bugfix: nginx could not be built on Solaris; the bug had appeared in1.0.11.
  • Bugfix: in the ngx_http_scgi_module.
  • Bugfix: in the ngx_http_mp4_module.

New in nginx 1.0.0 (Apr 15, 2011)

  • Bugfix: a cache manager might hog CPU after reload. Thanks to Maxim Dounin.
  • Bugfix: an "image_filter crop" directive worked incorrectly coupled with an "image_filter rotate 180" directive.
  • Bugfix: a "satisfy any" directive disabled custom 401 error page.