|
[-]
[+]
|
Changed |
nginx-1.6.changes
|
|
|
|
[-]
[+]
|
Changed |
nginx-1.6.spec
^
|
|
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/CHANGES
^
|
| @@ -1,4 +1,33 @@
+Changes with nginx 1.6.2 16 Sep 2014
+
+ *) Security: it was possible to reuse SSL sessions in unrelated contexts
+ if a shared SSL session cache or the same TLS session ticket key was
+ used for multiple "server" blocks (CVE-2014-3616).
+ Thanks to Antoine Delignat-Lavaud.
+
+ *) Bugfix: requests might hang if resolver was used and a DNS server
+ returned a malformed response; the bug had appeared in 1.5.8.
+
+ *) Bugfix: requests might hang if resolver was used and a timeout
+ occurred during a DNS request.
+
+
+Changes with nginx 1.6.1 05 Aug 2014
+
+ *) Security: pipelined commands were not discarded after STARTTLS
+ command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
+ Thanks to Chris Boulton.
+
+ *) Bugfix: the $uri variable might contain garbage when returning errors
+ with code 400.
+ Thanks to Sergey Bobrov.
+
+ *) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug
+ had appeared in 1.5.6.
+ Thanks to Svyatoslav Nikolsky.
+
+
Changes with nginx 1.6.0 24 Apr 2014
*) 1.6.x stable branch.
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/CHANGES.ru
^
|
| @@ -1,4 +1,35 @@
+Изменения в nginx 1.6.2 16.09.2014
+
+ *) Безопасность: при использовании общего для нескольких блоков server
+ разделяемого кэша SSL-сессий или общего ключа для шифрования TLS
+ session tickets было возможно повторно использовать SSL-сессию в
+ контексте другого блока server (CVE-2014-3616).
+ Спасибо Antoine Delignat-Lavaud.
+
+ *) Исправление: запросы могли зависать, если использовался resolver и
+ DNS-сервер возвращал некорректный ответ; ошибка появилась в 1.5.8.
+
+ *) Исправление: запросы могли зависать, если использовался resolver и в
+ процессе обращения к DNS-серверу происходил таймаут.
+
+
+Изменения в nginx 1.6.1 05.08.2014
+
+ *) Безопасность: pipelined-команды не отбрасывались после команды
+ STARTTLS в SMTP прокси-сервере (CVE-2014-3556); ошибка появилась в
+ 1.5.6.
+ Спасибо Chris Boulton.
+
+ *) Исправление: переменная $uri могла содержать мусор при возврате
+ ошибок с кодом 400.
+ Спасибо Сергею Боброву.
+
+ *) Исправление: в работе параметра none директивы smtp_auth; ошибка
+ появилась в 1.5.6.
+ Спасибо Святославу Никольскому.
+
+
Изменения в nginx 1.6.0 24.04.2014
*) Стабильная ветка 1.6.x.
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/src/core/nginx.h
^
|
| @@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
-#define nginx_version 1006000
-#define NGINX_VERSION "1.6.0"
+#define nginx_version 1006002
+#define NGINX_VERSION "1.6.2"
#define NGINX_VER "nginx/" NGINX_VERSION
#define NGINX_VAR "NGINX"
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/src/core/ngx_resolver.c
^
|
| @@ -417,7 +417,7 @@
/* lock name mutex */
- if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
+ if (ctx->state == NGX_AGAIN) {
hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
@@ -664,7 +664,7 @@
}
ctx->event->handler = ngx_resolver_timeout_handler;
- ctx->event->data = ctx;
+ ctx->event->data = rn;
ctx->event->log = r->log;
ctx->ident = -1;
@@ -857,7 +857,7 @@
}
ctx->event->handler = ngx_resolver_timeout_handler;
- ctx->event->data = ctx;
+ ctx->event->data = rn;
ctx->event->log = r->log;
ctx->ident = -1;
@@ -949,7 +949,7 @@
/* lock addr mutex */
- if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
+ if (ctx->state == NGX_AGAIN) {
switch (ctx->addr.sockaddr->sa_family) {
@@ -1467,7 +1467,6 @@
goto failed;
}
- rn->naddrs6 = 0;
qident = (rn->query6[0] << 8) + rn->query6[1];
break;
@@ -1482,7 +1481,6 @@
goto failed;
}
- rn->naddrs = 0;
qident = (rn->query[0] << 8) + rn->query[1];
}
@@ -1507,6 +1505,8 @@
case NGX_RESOLVE_AAAA:
+ rn->naddrs6 = 0;
+
if (rn->naddrs == (u_short) -1) {
goto next;
}
@@ -1519,6 +1519,8 @@
default: /* NGX_RESOLVE_A */
+ rn->naddrs = 0;
+
if (rn->naddrs6 == (u_short) -1) {
goto next;
}
@@ -1539,6 +1541,8 @@
case NGX_RESOLVE_AAAA:
+ rn->naddrs6 = 0;
+
if (rn->naddrs == (u_short) -1) {
rn->code = (u_char) code;
goto next;
@@ -1548,6 +1552,8 @@
default: /* NGX_RESOLVE_A */
+ rn->naddrs = 0;
+
if (rn->naddrs6 == (u_short) -1) {
rn->code = (u_char) code;
goto next;
@@ -1817,6 +1823,25 @@
}
}
+ switch (qtype) {
+
+#if (NGX_HAVE_INET6)
+ case NGX_RESOLVE_AAAA:
+
+ if (rn->naddrs6 == (u_short) -1) {
+ rn->naddrs6 = 0;
+ }
+
+ break;
+#endif
+
+ default: /* NGX_RESOLVE_A */
+
+ if (rn->naddrs == (u_short) -1) {
+ rn->naddrs = 0;
+ }
+ }
+
if (rn->naddrs != (u_short) -1
#if (NGX_HAVE_INET6)
&& rn->naddrs6 != (u_short) -1
@@ -2766,13 +2791,21 @@
static void
ngx_resolver_timeout_handler(ngx_event_t *ev)
{
- ngx_resolver_ctx_t *ctx;
+ ngx_resolver_ctx_t *ctx, *next;
+ ngx_resolver_node_t *rn;
- ctx = ev->data;
+ rn = ev->data;
+ ctx = rn->waiting;
+ rn->waiting = NULL;
+
+ do {
+ ctx->state = NGX_RESOLVE_TIMEDOUT;
+ next = ctx->next;
- ctx->state = NGX_RESOLVE_TIMEDOUT;
+ ctx->handler(ctx);
- ctx->handler(ctx);
+ ctx = next;
+ } while (ctx);
}
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/src/event/ngx_event_openssl.c
^
|
| @@ -27,6 +27,8 @@
ngx_err_t err, char *text);
static void ngx_ssl_clear_error(ngx_log_t *log);
+static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
+ ngx_str_t *sess_ctx);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
ngx_ssl_session_t *sess);
@@ -1729,13 +1731,15 @@
SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
+ if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
return NGX_OK;
}
- SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
-
if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
/*
@@ -1792,6 +1796,96 @@
}
+static ngx_int_t
+ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
+{
+ int n, i;
+ X509 *cert;
+ X509_NAME *name;
+ EVP_MD_CTX md;
+ unsigned int len;
+ STACK_OF(X509_NAME) *list;
+ u_char buf[EVP_MAX_MD_SIZE];
+
+ /*
+ * Session ID context is set based on the string provided,
+ * the server certificate, and the client CA list.
+ */
+
+ EVP_MD_CTX_init(&md);
+
+ if (EVP_DigestInit_ex(&md, EVP_sha1(), NULL) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestInit_ex() failed");
+ goto failed;
+ }
+
+ if (EVP_DigestUpdate(&md, sess_ctx->data, sess_ctx->len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestUpdate() failed");
+ goto failed;
+ }
+
+ cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+
+ if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "X509_digest() failed");
+ goto failed;
+ }
+
+ if (EVP_DigestUpdate(&md, buf, len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestUpdate() failed");
+ goto failed;
+ }
+
+ list = SSL_CTX_get_client_CA_list(ssl->ctx);
+
+ if (list != NULL) {
+ n = sk_X509_NAME_num(list);
+
+ for (i = 0; i < n; i++) {
+ name = sk_X509_NAME_value(list, i);
+
+ if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "X509_NAME_digest() failed");
+ goto failed;
+ }
+
+ if (EVP_DigestUpdate(&md, buf, len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestUpdate() failed");
+ goto failed;
+ }
+ }
+ }
+
+ if (EVP_DigestFinal_ex(&md, buf, &len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestUpdate() failed");
+ goto failed;
+ }
+
+ EVP_MD_CTX_cleanup(&md);
+
+ if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_session_id_context() failed");
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+
+failed:
+
+ EVP_MD_CTX_cleanup(&md);
+
+ return NGX_ERROR;
+}
+
+
ngx_int_t
ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
{
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/src/http/ngx_http_request.c
^
|
| @@ -1071,6 +1071,8 @@
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
if (ngx_http_parse_complex_uri(r, cscf->merge_slashes) != NGX_OK) {
+ r->uri.len = 0;
+
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent invalid request");
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
|
|
[-]
[+]
|
Changed |
nginx-1.6.2.tar.bz2/src/mail/ngx_mail_smtp_handler.c
^
|
| @@ -679,6 +679,11 @@
return NGX_OK;
}
+ if (s->args.nelts == 0) {
+ ngx_str_set(&s->out, smtp_invalid_argument);
+ return NGX_OK;
+ }
+
arg = s->args.elts;
arg += s->args.nelts - 1;
@@ -713,6 +718,11 @@
return NGX_OK;
}
+ if (s->args.nelts == 0) {
+ ngx_str_set(&s->out, smtp_invalid_argument);
+ return NGX_OK;
+ }
+
arg = s->args.elts;
arg += s->args.nelts - 1;
@@ -767,6 +777,9 @@
ngx_str_null(&s->smtp_from);
ngx_str_null(&s->smtp_to);
+ s->buffer->pos = s->buffer->start;
+ s->buffer->last = s->buffer->start;
+
c->read->handler = ngx_mail_starttls_handler;
return NGX_OK;
}
|
