similar to: nginx security advisory (CVE-2013-2028)

éÚÍÅÎÅÎÉÑ × nginx 1.4.1 07.05.2013 *) âÅÚÏÐÁÓÎÏÓÔØ: ÐÒÉ ÏÂÒÁÂÏÔËÅ ÓÐÅÃÉÁÌØÎÏ ÓÏÚÄÁÎÎÏÇÏ ÚÁÐÒÏÓÁ ÍÏÇ ÐÅÒÅÚÁÐÉÓÙ×ÁÔØÓÑ ÓÔÅË ÒÁÂÏÞÅÇÏ ÐÒÏÃÅÓÓÁ, ÞÔÏ ÍÏÇÌÏ ÐÒÉ×ÏÄÉÔØ Ë ×ÙÐÏÌÎÅÎÉÀ ÐÒÏÉÚ×ÏÌØÎÏÇÏ ËÏÄÁ (CVE-2013-2028); ÏÛÉÂËÁ ÐÏÑ×ÉÌÁÓØ × 1.3.9. óÐÁÓÉÂÏ Greg MacManus, iSIGHT Partners Labs. -- Maxim Dounin

éÚÍÅÎÅÎÉÑ × nginx 1.5.0 07.05.2013 *) âÅÚÏÐÁÓÎÏÓÔØ: ÐÒÉ ÏÂÒÁÂÏÔËÅ ÓÐÅÃÉÁÌØÎÏ ÓÏÚÄÁÎÎÏÇÏ ÚÁÐÒÏÓÁ ÍÏÇ ÐÅÒÅÚÁÐÉÓÙ×ÁÔØÓÑ ÓÔÅË ÒÁÂÏÞÅÇÏ ÐÒÏÃÅÓÓÁ, ÞÔÏ ÍÏÇÌÏ ÐÒÉ×ÏÄÉÔØ Ë ×ÙÐÏÌÎÅÎÉÀ ÐÒÏÉÚ×ÏÌØÎÏÇÏ ËÏÄÁ (CVE-2013-2028); ÏÛÉÂËÁ ÐÏÑ×ÉÌÁÓØ × 1.3.9. óÐÁÓÉÂÏ Greg MacManus, iSIGHT Partners Labs. -- Maxim Dounin

éÚÍÅÎÅÎÉÑ × nginx 1.3.15 26.03.2013 *) éÚÍÅÎÅÎÉÅ: ÏÔËÒÙÔÉÅ É ÚÁËÒÙÔÉÅ ÓÏÅÄÉÎÅÎÉÑ ÂÅÚ ÏÔÐÒÁ×ËÉ × Î£Í ËÁËÉÈ-ÌÉÂÏ ÄÁÎÎÙÈ ÂÏÌØÛÅ ÎÅ ÚÁÐÉÓÙ×ÁÅÔÓÑ × access_log Ó ËÏÄÏÍ ÏÛÉÂËÉ 400. *) äÏÂÁ×ÌÅÎÉÅ: ÍÏÄÕÌØ ngx_http_spdy_module. óÐÁÓÉÂÏ Automattic ÚÁ ÓÐÏÎÓÉÒÏ×ÁÎÉÅ ÒÁÚÒÁÂÏÔËÉ. *) äÏÂÁ×ÌÅÎÉÅ: ÄÉÒÅËÔÉ×Ù limit_req_status É

Changes with nginx 1.3.9 27 Nov 2012 *) Feature: support for chunked transfer encoding while reading client request body. *) Feature: the $request_time and $msec variables can now be used not only in the "log_format" directive. *) Bugfix: cache manager and cache loader processes might not be able to start if more

Changes with nginx 0.7.66 07 Jun 2010 *) Security: now nginx/Windows ignores default file stream name. Thanks to Jose Antonio Vazquez Gonzalez. *) Change: now the charset filter runs before the SSI filter. *) Change: now no message is written in an error log if a variable is not found by $r->variable() method. *) Change:

Changes with nginx 0.8.35 01 Apr 2010 *) Change: now the charset filter runs before the SSI filter. *) Feature: the "chunked_transfer_encoding" directive. *) Bugfix: an "&" character was not escaped when it was copied in arguments part in a rewrite rule. *) Bugfix: nginx might be terminated abnormally while

Changes with nginx 1.0.1 03 May 2011 *) Change: now the "split_clients" directive uses MurmurHash2 algorithm because of better distribution. Thanks to Oleg Mamontov. *) Change: now long strings starting with zero are not considered as false values. Thanks to Maxim Dounin. *) Change: now nginx uses a

Changes with nginx 1.0.5 19 Jul 2011 *) Change: now default SSL ciphers are "HIGH:!aNULL:!MD5". Thanks to Rob Stradling. *) Feature: the "referer_hash_max_size" and "referer_hash_bucket_size" directives. Thanks to Witold Filipczyk. *) Feature: $uid_reset variable. *) Bugfix: a

Changes with nginx 1.2.8 02 Apr 2013 *) Bugfix: new sessions were not always stored if the "ssl_session_cache shared" directive was used and there was no free space in shared memory. Thanks to Piotr Sikora. *) Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest

Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200), worker process memory disclosure on systems with MTU larger than 4096 bytes (CVE-2024-34161), or might have potential other impact (CVE-2024-31079, CVE-2024-32760).

Hello! В реализации HTTP/3 в nginx были обнаружены четыре проблемы, которые позволяют атакующему с помощью специально созданной QUIC-сессии вызвать падение рабочего процесса (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200), отправку клиенту части содержимого памяти рабочего процесса на системах с MTU больше 4096 байт (CVE-2024-34161), а также потенциально могут иметь другие последствия

A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash by using a specially crafted mp4 file (CVE-2024-7347). The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the “mp4” directive is used in the configuration file. Further, the attack is only possible if an attacker is

В модуле ngx_http_mp4_module была обнаружена проблема, которая позволяет с помощью специально созданного mp4-файла вызвать падение рабочего процесса (CVE-2024-7347). Проблеме подвержен nginx, если он собран с модулем ngx_http_mp4_module (по умолчанию не собирается) и директива mp4 используется в конфигурационном файле. При этом атака возможна только в случае, если атакующий имеет возможность

éÚÍÅÎÅÎÉÑ × nginx 1.2.0 23.04.2012 *) éÓÐÒÁ×ÌÅÎÉÅ: × ÒÁÂÏÞÅÍ ÐÒÏÃÅÓÓÅ ÍÏÇ ÐÒÏÉÚÏÊÔÉ segmentation fault, ÅÓÌÉ ÉÓÐÏÌØÚÏ×ÁÌÁÓØ ÄÉÒÅËÔÉ×Á try_files; ÏÛÉÂËÁ ÐÏÑ×ÉÌÁÓØ × 1.1.19. *) éÓÐÒÁ×ÌÅÎÉÅ: ÏÔ×ÅÔ ÍÏÇ ÂÙÔØ ÐÅÒÅÄÁÎ ÎÅ ÐÏÌÎÏÓÔØÀ, ÅÓÌÉ ÉÓÐÏÌØÚÏ×ÁÌÏÓØ ÂÏÌØÛÅ IOV_MAX ÂÕÆÅÒÏ×. *) éÓÐÒÁ×ÌÅÎÉÅ: × ÒÁÂÏÔÅ ÐÁÒÁÍÅÔÒÁ crop ÄÉÒÅËÔÉ×Ù

Changes with nginx 0.9.2 06 Dec 2010 *) Feature: the "If-Unmodified-Since" client request header line support. *) Workaround: fallback to accept() syscall if accept4() was not implemented; the issue had appeared in 0.9.0. *) Bugfix: nginx could not be built on Cygwin; the issue had appeared in 0.9.0. *)

éÚÍÅÎÅÎÉÑ × nginx 1.1.18 28.03.2012 *) éÚÍÅÎÅÎÉÅ: ÔÅÐÅÒØ keepalive ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÚÁÐÒÅÝÅÎÙ ÄÌÑ Safari ÐÏ ÕÍÏÌÞÁÎÉÀ. *) äÏÂÁ×ÌÅÎÉÅ: ÐÅÒÅÍÅÎÎÁÑ $connection_requests. *) äÏÂÁ×ÌÅÎÉÅ: ÐÅÒÅÍÅÎÎÙÅ $tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd É $tcpinfo_rcv_space. *) äÏÂÁ×ÌÅÎÉÅ: ÄÉÒÅËÔÉ×Á worker_cpu_affinity ÔÅÐÅÒØ ÒÁÂÏÔÁÅÔ ÎÁ

Changes with nginx 1.2.7 12 Feb 2013 *) Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order. *) Change: the "add_header" directive adds headers to 201 responses. *) Feature: the "geo" directive now supports IPv6 addresses in CIDR

Changes with nginx 1.0.15 12 Apr 2012 *) Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley. *) Bugfix: in the ngx_http_mp4_module. Maxim Dounin

Changes with nginx 1.3.10 25 Dec 2012 *) Change: domain names specified in configuration file are now resolved to IPv6 addresses as well as IPv4 ones. *) Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order. *) Change: the "add_header"

Changes with nginx 1.1.14 30 Jan 2012 *) Feature: multiple "limit_req" limits may be used simultaneously. *) Bugfix: in error handling while connecting to a backend. Thanks to Piotr Sikora. *) Bugfix: in AIO error handling on FreeBSD. *) Bugfix: in the OpenSSL library initialization. *) Bugfix: the