New in version 1.6.2
September 16th, 2014
- Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616). Thanks to Antoine Delignat-Lavaud.
- Bugfix: requests might hang if resolver was used and a DNS server returned a malformed response; the bug had appeared in 1.5.8.
- Bugfix: requests might hang if resolver was used and a timeout occurred during a DNS request.
New in version 1.6.1 (August 5th, 2014)
- Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6. Thanks to Chris Boulton.
- Bugfix: the $uri variable might contain garbage when returning errors with code 400. Thanks to Sergey Bobrov.
- Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug had appeared in 1.5.6. Thanks to Svyatoslav Nikolsky.
New in version 1.6.0 (April 24th, 2014)
- This stable version incorporates many new features from the 1.5.x mainline branch - including various SSL improvements, SPDY 3.1 support, cache revalidation with conditional requests, auth request module and more.
New in version 1.4.7 (March 19th, 2014)
- Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133). Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina.
- Bugfix: in the "fastcgi_next_upstream" directive. Thanks to Lucas Molas.
New in version 1.4.6 (March 6th, 2014)
- Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9. Thanks to Lucas Molas.
- Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections.
New in version 1.4.5 (February 12th, 2014)
- Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id. Thanks to Ivan Ristić.
- Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15.
- Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9.
- Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used.
- Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used.
- Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding.
- Bugfix: memory leak in nginx/Windows.
New in version 1.4.4 (November 20th, 2013)
- This release introduces a fix for the request line parsing vulnerability in nginx 0.8.41 - 1.5.6 discovered by Ivan Fratric of the Google Security Team (CVE-2013-4547).
New in version 1.5.0 (May 8th, 2013)
- Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs.
New in version 1.3.15 (April 2nd, 2013)
- Change: opening and closing a connection without sending any data in it is no longer logged to access_log with 400 error code.
- Feature: the ngx_http_spdy_module. Thanks to Automattic for sponsoring this work.
- Feature: the "limit_req_status" and "limit_conn_status" directives. Thanks to Nick Marden.
- Feature: the "image_filter_interlace" directive. Thanks to Ian Babrou.
- Feature: $connections_waiting variable in the ngx_http_stub_status_module.
- Feature: the mail proxy module now supports IPv6 backends.
- Bugfix: request body might be transmitted incorrectly when retrying a request to a next upstream server; the bug had appeared in 1.3.9. Thanks to Piotr Sikora.
- Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9.
- Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing. Thanks to Lanshun Zhou.
- Bugfix: in backend usage accounting.