-
nginx (1.14.0-0ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: memory corruption/disclosure issue
- debian/patches/CVE-2022-41741_41742.patch: disabled duplicate atoms in
Mp4
- CVE-2022-41741
- CVE-2022-41742
-- Nishit Majithia <email address hidden> Thu, 10 Nov 2022 12:08:23 +0530
-
nginx (1.14.0-0ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: ALPACA TLS issue
- debian/patches/CVE-2021-3618.patch: specify the number of
errors after which the connection is closed in
src/mail/ngx_mail.h, src/mail/ngx_mail_core_module.c and
src/mail/ngx_mail_handler.c.
- CVE-2021-3618
* SECURITY UPDATE: request mutation by unsafe characters
- Add input validation to requests in Lua module in
debian/modules/http-lua/src/ngx_http_lua_control.c,
debian/modules/http-lua/src/ngx_http_lua_headers_in.c,
debian/modules/http-lua/src/ngx_http_lua_headers_out.c,
debian/modules/http-lua/src/ngx_http_lua_uri.c,
debian/modules/http-lua/src/ngx_http_lua_util.h and
debian/modules/http-lua/src/ngx_http_lua_util.h.
- CVE-2020-36309
* SECURITY UPDATE: request smuggling in ngx.location.capture
- Add manual crafting of Content-Length in case request is
chunked in
debian/modules/http-lua/src/ngx_http_lua_subrequest.c.
- CVE-2020-11724
-- David Fernandez Gonzalez <email address hidden> Tue, 12 Apr 2022 11:00:15 +0200
-
nginx (1.14.0-0ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: DNS Resolver issues
- debian/patches/CVE-2021-23017-1.patch: fixed off-by-one write in
src/core/ngx_resolver.c.
- debian/patches/CVE-2021-23017-2.patch: fixed off-by-one read in
src/core/ngx_resolver.c.
- CVE-2021-23017
-- Marc Deslauriers <email address hidden> Tue, 25 May 2021 13:11:02 -0400
-
nginx (1.14.0-0ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: request smuggling via error_page
- debian/patches/CVE-2019-20372.patch: discard request body when
redirecting to a URL via error_page in
src/http/ngx_http_special_response.c.
- CVE-2019-20372
-- Marc Deslauriers <email address hidden> Fri, 10 Jan 2020 14:18:38 -0500
-
nginx (1.14.0-0ubuntu1.6) bionic-security; urgency=medium
* No change rebuild in -security pocket now that OpenSSL 1.1.1 is
available.
-- Marc Deslauriers <email address hidden> Tue, 20 Aug 2019 08:46:02 -0400
-
nginx (1.14.0-0ubuntu1.5) bionic; urgency=medium
* No change rebuild for bionic outside of security pocket to pick up
OpenSSL 1.1.1. (LP: #1840404)
-- Marc Deslauriers <email address hidden> Fri, 16 Aug 2019 07:05:57 -0400
-
nginx (1.14.0-0ubuntu1.4) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP/2 Data Dribble issue
- debian/patches/CVE-2019-9511.patch: limited number of DATA frames in
src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h,
src/http/v2/ngx_http_v2_filter_module.c.
- CVE-2019-9511
* SECURITY UPDATE: HTTP/2 Resource Loop / Priority Shuffling issue
- debian/patches/CVE-2019-9513.patch: limited number of PRIORITY frames
in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2019-9513
* SECURITY UPDATE: HTTP/2 0-Length Headers Leak issue
- debian/patches/CVE-2019-9516.patch: reject zero length headers with
PROTOCOL_ERROR in src/http/v2/ngx_http_v2.c.
- CVE-2019-9516
-- Marc Deslauriers <email address hidden> Wed, 14 Aug 2019 14:44:40 -0400
-
nginx (1.14.0-0ubuntu1.3) bionic; urgency=medium
* No changes rebuild (to build against OpenSSL 1.1.1 in Bionic)
(LP: #1836366)
-- Thomas Ward <email address hidden> Fri, 12 Jul 2019 14:18:43 -0400
-
nginx (1.14.0-0ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: excessive memory consumption in HTTP/2 implementation
- debian/patches/CVE-2018-16843.patch: add flood detection in
src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2018-16843
* SECURITY UPDATE: excessive CPU usage in HTTP/2 implementation
- debian/patches/CVE-2018-16844.patch: limit the number of idle state
switches in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
- CVE-2018-16844
* SECURITY UPDATE: infinite loop in ngx_http_mp4_module
- debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
src/http/modules/ngx_http_mp4_module.c.
- CVE-2018-16845
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2018 13:54:15 -0500
-
nginx (1.14.0-0ubuntu1.1) bionic; urgency=medium
* Stable Release Update. Do not attempt to start nginx if other daemon
is binding to port 80, to prevent install failure (LP: #1782226):
- d/nginx{core,light,full,extras}.postinst: Add checks for whether
port 80 is in use or not to determine whether or not to attempt
starting of the NGINX service during install/upgrade.
- d/control: Add dependencies to nginx-{core,light,full,extras} on
`iproute2` as the postinst scripts now use `ss` to determine if
Port 80 is open or not.
-- Andres Rodriguez <email address hidden> Mon, 20 Aug 2018 18:41:42 -0400
-
nginx (1.14.0-0ubuntu1) bionic; urgency=medium
* New upstream stable release (1.14.0)
* Upstream changelogs can be found at http://nginx.org/en/CHANGES-1.14
* There are no functional changes or new features in this release,
and the only change is a version number change.
* Remaining Ubuntu-specific changes:
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
-- Thomas Ward <email address hidden> Tue, 17 Apr 2018 12:17:58 -0400
-
nginx (1.13.12-0ubuntu1) bionic; urgency=medium
* New upstream releases (1.13.11, 1.13.12)
* Upstream changelogs can be found at https://nginx.org/en/CHANGES
* Remaining Ubuntu-specific changes:
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
-- Thomas Ward <email address hidden> Mon, 16 Apr 2018 11:43:01 -0400
-
nginx (1.13.10-1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
* Drop:
- debian/patches/0002-Make-sure-signature-stays-the-same-in-
all-nginx-buil.patch: Refreshed patch - Merge-o-Matic introduced some
fuzz which caused issues.
[ Does not seem necessary ]
- d/control: drop mention of SSL Preread from nginx-full, nginx-extras
[ Previously undocumented ]
- d/gbp.conf: update for 1.12 release
[ Previously undocumented ]
- d/p/0003-define_gnu_source-on-other-glibc-based-platforms.patch:
Refresh patch.
[ Previously undocumented ]
nginx (1.13.10-1) unstable; urgency=medium
* New upstream version
nginx (1.13.9-1) unstable; urgency=medium
[ Michael Lustfield ]
* Remove non-uploading users
[ Christos Trochalakis ]
* New upstream version 1.13.9
* Move packaging repository to salsa.debian.org
* Bump Standards-Version to 4.1.3, no changes needed
nginx (1.13.8-1) unstable; urgency=medium
* New upstream release.
nginx (1.13.7-1) unstable; urgency=medium
[ Christos Trochalakis ]
* New upstream version 1.13.7
* Bump Standards-Version, no changes needed
* debian/watch: switch to HTTPS for the upstream check
[ Mpampis Kostas ]
* Automate modules watch & upgrade process (Closes: #869499)
[ Christos Trochalakis ]
* Bits & pieces for ngxmod
* http-headers-more-filter: Upgrade to 0.33
* http-echo: Upgrade to 0.61
* http-lua: Upgrade to 0.10.11
* http-dav-ext: Upgrade to 0.1.0 (Closes: #878611)
* http-fancyindex: Upgrade to 0.4.2
* rtmp: Upgrade to 1.2.1 (Closes: #880718)
-- Nishanth Aravamudan <email address hidden> Thu, 05 Apr 2018 15:43:49 -0700
-
nginx (1.13.6-2ubuntu2) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Mon, 05 Feb 2018 16:51:17 +0000
-
nginx (1.13.6-2ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
- d/{control,rules,nginx-core.*}: add new binary package for main,
nginx-core, which contains only source-tarball-included modules
and no third-party modules.
- debian/tests/control: add nginx-core test.
- debian/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- debian/nginx-common.install: Add install rule for apport hooks.
- debian/rules: Alter build flags for cflags and ldflags to fix known
fPIE / fPIC compilation issues (see nginx PPA bug for more details
and information, LP: #1657596)
- debian/patches/0002-Make-sure-signature-stays-the-same-in-
all-nginx-buil.patch: Refreshed patch - Merge-o-Matic introduced some
fuzz which caused issues.
-- Thomas Ward <email address hidden> Tue, 12 Dec 2017 12:15:30 -0500
-
nginx (1.12.1-0ubuntu2) artful; urgency=medium
* No-change rebuild for perl 5.26.0.
-- Matthias Klose <email address hidden> Wed, 26 Jul 2017 20:11:43 +0000