-
nginx (1.10.3-0ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: request smuggling via error_page
- debian/patches/CVE-2019-20372.patch: discard request body when
redirecting to a URL via error_page in
src/http/ngx_http_special_response.c.
- CVE-2019-20372
-- Marc Deslauriers <email address hidden> Fri, 10 Jan 2020 14:19:02 -0500
-
nginx (1.10.3-0ubuntu0.16.04.4) xenial-security; urgency=medium
* SECURITY UPDATE: HTTP/2 Data Dribble issue
- debian/patches/CVE-2019-9511.patch: limited number of DATA frames in
src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h,
src/http/v2/ngx_http_v2_filter_module.c.
- CVE-2019-9511
* SECURITY UPDATE: HTTP/2 Resource Loop / Priority Shuffling issue
- debian/patches/CVE-2019-9513.patch: limited number of PRIORITY frames
in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2019-9513
* SECURITY UPDATE: HTTP/2 0-Length Headers Leak issue
- debian/patches/CVE-2019-9516.patch: reject zero length headers with
PROTOCOL_ERROR in src/http/v2/ngx_http_v2.c.
- CVE-2019-9516
-- Marc Deslauriers <email address hidden> Wed, 14 Aug 2019 14:48:49 -0400
-
nginx (1.10.3-0ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: excessive memory consumption in HTTP/2 implementation
- debian/patches/CVE-2018-16843.patch: add flood detection in
src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2018-16843
* SECURITY UPDATE: excessive CPU usage in HTTP/2 implementation
- debian/patches/CVE-2018-16844-pre.patch: backport new
http2_max_requests directive.
- debian/patches/CVE-2018-16844.patch: limit the number of idle state
switches in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2018-16844
* SECURITY UPDATE: infinite loop in ngx_http_mp4_module
- debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
src/http/modules/ngx_http_mp4_module.c.
- CVE-2018-16845
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2018 13:55:13 -0500
-
nginx (1.10.3-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: integer overflow in range filter leading to
information exposure
- debian/patches/CVE-2017-7529.patch: add check to ensure size does
not overflow
- CVE-2017-7529
-- Steve Beattie <email address hidden> Wed, 12 Jul 2017 03:20:18 -0700
-
nginx (1.10.3-0ubuntu0.16.04.1) xenial; urgency=medium
* Stable Release Update (LP: #1663937)
* New upstream release (1.10.3) - full changelog available at upstream
website - http://nginx.org/en/CHANGES-1.10
* All Ubuntu specific changes from 1.10.0-0ubuntu1 through
1.10.0-0ubuntu0.16.04.4 remain included.
* Additional changes:
* debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.
* debian/patches/cve-2016-4450.patch: Drop CVE patch as it is already
included in the upstream source code in this upload.
-- Thomas Ward <email address hidden> Sat, 11 Feb 2017 16:18:21 -0500
-
nginx (1.10.0-0ubuntu0.16.04.4) xenial-security; urgency=medium
* SECURITY REGRESSION: config upgrade failure (LP: #1637058)
- debian/nginx-common.config: fix return code so script doesn't exit.
-- Marc Deslauriers <email address hidden> Thu, 27 Oct 2016 10:42:14 -0400
-
nginx (1.10.0-0ubuntu0.16.04.3) xenial-security; urgency=medium
[ Christos Trochalakis ]
* debian/nginx-common.postinst:
+ Secure log file handling (owner & permissions) against privilege
escalation attacks. /var/log/nginx is now owned by root:adm.
Thanks Dawid Golunski (http://legalhackers.com) for the report.
Changing /var/log/nginx permissions effectively reopens #701112,
since log files can be world-readable. This is a trade-off until
a better log opening solution is implemented upstream (trac:376).
* debian/control:
Don't allow building against liblua5.1-0-dev on architectures
that libluajit is available.
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2016 11:02:16 +0200
-
nginx (1.10.0-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: Null pointer dereference while writing client request
body (LP: #1587577)
- debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
- CVE-2016-4450
-- Thomas Ward <email address hidden> Tue, 31 May 2016 19:47:42 -0400
-
nginx (1.10.0-0ubuntu0.16.04.1) xenial-proposed; urgency=medium
* Stable Release Update (LP: #1575212)
* New upstream release (1.10.0) - full changelog available at upstream
website - http://nginx.org/en/CHANGES-1.10
* All Ubuntu specific changes from 1.9.15-0ubuntu1 remain included.
* Additional changes:
* debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.
-- Thomas Ward <email address hidden> Tue, 26 Apr 2016 10:21:29 -0400
-
nginx (1.9.15-0ubuntu1) xenial-proposed; urgency=medium
* New upstream release (1.9.15) - full changelog available at upstream
website - http://nginx.org/en/CHANGES (LP: #1572223)
* All Ubuntu specific changes from 1.1.14-0ubuntu1, except noted below,
remain included in this upload.
* Remaining changes:
* debian/control: Re-add libluajit-5.1-dev build-dependency, as it will
only affect nginx-extras which is in Universe. This reduces the merge
delta between Ubuntu and Debian slightly, as well. (LP: #1571444)
* debian/patches/ubuntu-branding.patch: Refresh Ubuntu Branding patch.
-- Thomas Ward <email address hidden> Mon, 18 Apr 2016 15:39:08 -0400
-
nginx (1.9.14-0ubuntu1) xenial-proposed; urgency=medium
* New upstream release (1.9.14) - full changelog available at upstream
website - htp://nginx.org/en/CHANGES (LP: #1566392)
* All Ubuntu specific changes from 1.9.13-0ubuntu1, except noted below,
remain included in this upload.
* Remaining changes:
* Enable HTTP/2 module for nginx-full, nginx-extras, and nginx-core
(LP: #1565043)
- debian/rules: Enable HTTP/2 module building in flavor rules
- debian/control: Add HTTP/2 module to package descriptions.
* debian/patches/ubuntu-branding.patch: Refresh Ubuntu Branding patch.
-- Thomas Ward <email address hidden> Fri, 01 Apr 2016 14:23:47 -0400
-
nginx (1.9.13-0ubuntu1) xenial-proposed; urgency=medium
* New upstream release (1.9.13) - full changelog available at upstream
website - http://nginx.org/en/CHANGES (LP: #1563393)
* All Ubuntu specific changes from 1.9.12-0ubuntu1 remain included in
this upload.
* debian/patches/ubuntu-branding.patch: Refresh Ubuntu Branding patch.
-- Thomas Ward <email address hidden> Tue, 29 Mar 2016 18:47:36 -0400
-
nginx (1.9.12-0ubuntu1) xenial; urgency=medium
* New upstream release (1.9.12) - full changelog available at upstream
website - http://nginx.org/en/CHANGES (LP: #1549347)
* All Ubuntu specific changes from 1.9.11-0ubuntu1 and -0ubuntu2 remain
included in this upload.
-- Thomas Ward <email address hidden> Wed, 24 Feb 2016 10:26:31 -0500
-
nginx (1.9.11-0ubuntu2) xenial; urgency=medium
* This is a bug-fix only upload and does not include any new changes to
features.
* debian/conf/sites-available/default: Modify PHP 'default example' settings
to account for php5 being replaced with php7.0 in Xenial. Also adapt the
UNIX socket path for php7.0-fpm to be the one used by default in Xenial.
(LP: #1547642)
-- Thomas Ward <email address hidden> Fri, 19 Feb 2016 14:13:28 -0500
-
nginx (1.9.11-0ubuntu1) xenial; urgency=low
* New upstream release (1.9.11) - see http://nginx.org/en/CHANGES for
full changelog.
* Ubuntu-specific changes from the 1.9.10 merge remain included here.
* Additional changes:
- debian/modules/nginx-lua: Apply upstream patch to fix FTBFS issue
-- Thomas Ward <email address hidden> Tue, 09 Feb 2016 10:33:14 -0500
-
nginx (1.9.10-1ubuntu1) xenial; urgency=low
* Merge from Debian unstable. Remaining changes: (LP: #1538677)
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/control:
- drop luajit from Build-Depends as it is in universe.
- Remove HTTP/2 references in package descriptions, per Ubuntu
Security Team mandate to disable HTTP/2 support.
- debian/rules:
- Disable HTTP/2 module support in all flavors, per Ubuntu Security
Team mandate.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
* Additional bugs fixed by this merge:
- nginx-common should not depend on python (LP: #1480513)
-- Thomas Ward <email address hidden> Tue, 27 Jan 2016 12:52:00 -0500
-
nginx (1.9.10-0ubuntu1) xenial; urgency=medium
* New upstream release.
* debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch
* Security content of this upload addresses the following vulnerabilities
and CVE-numbered Security issues: (LP: #1538165)
- Invalid pointer dereference might occur during DNS server response
processing, allowing an attacker who is able to forge UDP
packets from the DNS server to cause worker process crash
(CVE-2016-0742).
- Use-after-free condition might occur during CNAME response
processing. This problem allows an attacker who is able to trigger
name resolution to cause worker process crash, or might
have potential other impact (CVE-2016-0746).
- CNAME resolution was insufficiently limited, allowing an attacker who
is able to trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).
-- Thomas Ward <email address hidden> Tue, 26 Jan 2016 14:53:01 -0500
-
nginx (1.9.9-1ubuntu1) xenial; urgency=low
* Merge from Debian unstable. Remaining changes: (LP: #1534208)
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/control:
- drop luajit from Build-Depends as it is in universe.
- Update nginx-core description to match nginx-full description of the
standard and optional HTTP modules that are enabled.
- Remove HTTP/2 references in package descriptions, per Ubuntu
Security Team mandate to disable HTTP/2 support.
- debian/rules:
- Update nginx-core configure flags to match nginx-full config flags,
due to refreshing the nginx-core 'enabled modules' to match the
nginx-full modules (minus third-party modules)
- Disable HTTP/2 module support in all flavors, per Ubuntu Security
Team mandate.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
* debian/control: Remove HTTP/2 reference in nginx-extras description, which
was missed previously due to accidental oversight. (LP: #1534368)
-- Thomas Ward <email address hidden> Thu, 14 Jan 2016 18:42:00 -0500
-
nginx (1.9.9-0ubuntu1) xenial; urgency=medium
* New upstream release.
* debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch
-- Thomas Ward <email address hidden> Sun, 03 Jan 2016 12:49:21 -0500
-
nginx (1.9.6-2ubuntu2) xenial; urgency=medium
* Rebuild for Perl 5.22.1.
-- Colin Watson <email address hidden> Fri, 18 Dec 2015 12:53:05 +0000
-
nginx (1.9.6-2ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes: (LP: #1510096)
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/control: drop luajit from Build-Depends as it is in universe.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
* Additional changes:
* debian/rules:
- Update nginx-core configure flags to match nginx-full config flags,
due to refreshing the nginx-core 'enabled modules' to match the
nginx-full modules (minus third-party modules)
- Disable HTTP/2 module support in all flavors, per Ubuntu Security
Team mandate.
* debian/control:
- Update nginx-core description to match nginx-full description of the
standard and optional HTTP modules that are enabled.
- Remove HTTP/2 references in package descriptions, per Ubuntu
Security Team mandate to disable HTTP/2 support.
-- Thomas Ward <email address hidden> Mon, 14 Dec 2015 10:34:42 -0500
-
nginx (1.9.3-1ubuntu1) wily; urgency=medium
* Merge from Debian. Remaining changes: (LP: #1476811)
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/control: drop luajit from Build-Depends as it is in universe.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
nginx (1.9.3-1) unstable; urgency=medium
[ Christos Trochalakis]
* New upstream Release. (Closes: #789924)
* debian/control:
+ Remove XS-Testsuite header, it is now automatically added when
`debian/tests/control` is present.
* debian/modules/nginx-lua:
+ Update nginx-lua to v0.9.16 and drop our backported patches.
* debian/conf/*:
+ Add REQUEST_SCHEME to fcgi, wsgi and scgi configs (sync with upstream).
nginx (1.9.2-1) unstable; urgency=medium
[ Michael Lustfield ]
* debian/nginx-common.nginx.init:
+ Init script now returns the proper exit status. (Closes: #788573)
+ Cleaned up the init script to have consistent naming/structure.
[ Christos Trochalakis ]
* New upstream Release.
* debian/rules:
+ Add stream module to nginx-full & nginx-extras.
+ Add thread pool support to nginx-full & nginx-extras.
* debian/modules/nginx-lua:
+ Backport upstream's 9531e5e7 fixing build failure when thread pool
support is enabled.
nginx (1.9.1-1) unstable; urgency=medium
[ Michael Lustfield ]
* debian/conf/nginx.conf:
+ Switch worker_processes to auto. (Closes: #781711)
* debian/conf/sites-available/default:
+ Add comment about disabling gzip in HTTPS. (Closes: #773332)
+ Add comment about checking ssl_ciphers. (Closes: #765782)
* debian/modules/*:
+ Updated nginx-auth-pam 1.3 -> 1.4. (Closes: #777120)
+ Updated nginx-echo v0.56 -> v0.57.
+ Updated nginx-lua v0.9.13 -> v0.9.15.
+ Updated nginx-cache-purge 2.1 -> 2.3.
+ Updated ngx-fancyindex v0.3.4 -> v0.3.5.
* debian/nginx-common.NEWS:
+ Document potential issues with newer versions on i386.
* debian/nginx-common.{dirs,install}, debian/vim/*:
+ Installing vim syntax highlighting from package. (Closes: #771609)
Thanks Emmanuel Bouthenot for building this patch.
* debian/nginx-common.nginx.upstart:
+ Created file to support upstart jobs. (Closes: #745483)
Thanks Cameron Norman for building this file.
* debian/rules:
+ Add hardening flags with dpkg-buildflags. (Closes: #747025, #781703)
Thanks Thomas Ward.
+ Supply custom DEB_BUILD_MAINT_OPTIONS for debian_ldflags generation.
Thanks Thomas Ward.
+ Added back missing module gunzip. (Closes: #782065)
Thanks Peter Wu for the initial patch.
* debian/modules/nginx-lua/*:
+ Updated module version. (Closes: #762494)
* debian/ngx-conf/*
+ Added configuration utility, not shipped yet. (Closes: #652108)
* debian/nginx-common.manpages:
+ Replaced man page with upstream maintained version. (Closes: #781345)
* debian/nginx-common.install:
+ Changed debian/index.html -> html/index.html. This installs the package
maintained version of this file as opposed to our out of date version.
[ Christos Trochalakis ]
* New upstream release. Switching to mainline version. (Closes: #777677)
* debian/nginx-common.manpages:
+ Build & ship manpages with binary packages.
* debian/rules:
+ Adjust configure flags for limit_zone module (renamed to limit_conn).
* debian/modules/nginx-lua:
+ Backport upstream's f4e1311 fixing build failure with mainline nginx.
* debian/control:
+ Depend on libgd-dev now that jessie is released.
-- Thomas Ward <email address hidden> Wed, 22 Jul 2015 11:39:44 -0400
