Change logs for nginx source package in Bionic

nginx (1.14.0-0ubuntu1.11) bionic-security; urgency=medium

  * SECURITY UPDATE: memory corruption/disclosure issue
    - debian/patches/CVE-2022-41741_41742.patch: disabled duplicate atoms in
      Mp4
    - CVE-2022-41741
    - CVE-2022-41742

 -- Nishit Majithia <email address hidden>  Thu, 10 Nov 2022 12:08:23 +0530

nginx (1.14.0-0ubuntu1.10) bionic-security; urgency=medium

  * SECURITY UPDATE: ALPACA TLS issue
    - debian/patches/CVE-2021-3618.patch: specify the number of
      errors after which the connection is closed in
      src/mail/ngx_mail.h, src/mail/ngx_mail_core_module.c and
      src/mail/ngx_mail_handler.c.
    - CVE-2021-3618
  * SECURITY UPDATE: request mutation by unsafe characters
    - Add input validation to requests in Lua module in
      debian/modules/http-lua/src/ngx_http_lua_control.c,
      debian/modules/http-lua/src/ngx_http_lua_headers_in.c,
      debian/modules/http-lua/src/ngx_http_lua_headers_out.c,
      debian/modules/http-lua/src/ngx_http_lua_uri.c,
      debian/modules/http-lua/src/ngx_http_lua_util.h and
      debian/modules/http-lua/src/ngx_http_lua_util.h.
    - CVE-2020-36309
  * SECURITY UPDATE: request smuggling in ngx.location.capture
    - Add manual crafting of Content-Length in case request is
      chunked in
      debian/modules/http-lua/src/ngx_http_lua_subrequest.c.
    - CVE-2020-11724

 -- David Fernandez Gonzalez <email address hidden>  Tue, 12 Apr 2022 11:00:15 +0200

nginx (1.14.0-0ubuntu1.9) bionic-security; urgency=medium

  * SECURITY UPDATE: DNS Resolver issues
    - debian/patches/CVE-2021-23017-1.patch: fixed off-by-one write in
      src/core/ngx_resolver.c.
    - debian/patches/CVE-2021-23017-2.patch: fixed off-by-one read in
      src/core/ngx_resolver.c.
    - CVE-2021-23017

 -- Marc Deslauriers <email address hidden>  Tue, 25 May 2021 13:11:02 -0400

nginx (1.14.0-0ubuntu1.7) bionic-security; urgency=medium

  * SECURITY UPDATE: request smuggling via error_page
    - debian/patches/CVE-2019-20372.patch: discard request body when
      redirecting to a URL via error_page in
      src/http/ngx_http_special_response.c.
    - CVE-2019-20372

 -- Marc Deslauriers <email address hidden>  Fri, 10 Jan 2020 14:18:38 -0500

nginx (1.14.0-0ubuntu1.6) bionic-security; urgency=medium

  * No change rebuild in -security pocket now that OpenSSL 1.1.1 is
    available.

 -- Marc Deslauriers <email address hidden>  Tue, 20 Aug 2019 08:46:02 -0400

nginx (1.14.0-0ubuntu1.5) bionic; urgency=medium

  * No change rebuild for bionic outside of security pocket to pick up
    OpenSSL 1.1.1. (LP: #1840404)

 -- Marc Deslauriers <email address hidden>  Fri, 16 Aug 2019 07:05:57 -0400

nginx (1.14.0-0ubuntu1.4) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 Data Dribble issue
    - debian/patches/CVE-2019-9511.patch: limited number of DATA frames in
      src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h,
      src/http/v2/ngx_http_v2_filter_module.c.
    - CVE-2019-9511
  * SECURITY UPDATE: HTTP/2 Resource Loop / Priority Shuffling issue
    - debian/patches/CVE-2019-9513.patch: limited number of PRIORITY frames
      in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2019-9513
  * SECURITY UPDATE: HTTP/2 0-Length Headers Leak issue
    - debian/patches/CVE-2019-9516.patch: reject zero length headers with
      PROTOCOL_ERROR in src/http/v2/ngx_http_v2.c.
    - CVE-2019-9516

 -- Marc Deslauriers <email address hidden>  Wed, 14 Aug 2019 14:44:40 -0400

nginx (1.14.0-0ubuntu1.3) bionic; urgency=medium

  * No changes rebuild (to build against OpenSSL 1.1.1 in Bionic)
    (LP: #1836366)

 -- Thomas Ward <email address hidden>  Fri, 12 Jul 2019 14:18:43 -0400

nginx (1.14.0-0ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: excessive memory consumption in HTTP/2 implementation
    - debian/patches/CVE-2018-16843.patch: add flood detection in
      src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2018-16843
  * SECURITY UPDATE: excessive CPU usage in HTTP/2 implementation
    - debian/patches/CVE-2018-16844.patch: limit the number of idle state
      switches in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2018-16844
  * SECURITY UPDATE: infinite loop in ngx_http_mp4_module
    - debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
      src/http/modules/ngx_http_mp4_module.c.
    - CVE-2018-16845

 -- Marc Deslauriers <email address hidden>  Tue, 06 Nov 2018 13:54:15 -0500

nginx (1.14.0-0ubuntu1.1) bionic; urgency=medium

  * Stable Release Update. Do not attempt to start nginx if other daemon
    is binding to port 80, to prevent install failure (LP: #1782226):
    - d/nginx{core,light,full,extras}.postinst: Add checks for whether
      port 80 is in use or not to determine whether or not to attempt
      starting of the NGINX service during install/upgrade.
    - d/control: Add dependencies to nginx-{core,light,full,extras} on
      `iproute2` as the postinst scripts now use `ss` to determine if
      Port 80 is open or not.

 -- Andres Rodriguez <email address hidden>  Mon, 20 Aug 2018 18:41:42 -0400

nginx (1.14.0-0ubuntu1) bionic; urgency=medium

  * New upstream stable release (1.14.0)
  * Upstream changelogs can be found at http://nginx.org/en/CHANGES-1.14
  * There are no functional changes or new features in this release,
    and the only change is a version number change.
  * Remaining Ubuntu-specific changes:
    - debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
    - d/{control,rules,nginx-core.*}: add new binary package for main,
      nginx-core, which contains only source-tarball-included modules
      and no third-party modules.
    - debian/tests/control: add nginx-core test.
    - debian/apport/source_nginx.py: Add apport hooks for additional bug
      information gathering.
    - debian/nginx-common.install: Add install rule for apport hooks.

 -- Thomas Ward <email address hidden>  Tue, 17 Apr 2018 12:17:58 -0400

nginx (1.13.12-0ubuntu1) bionic; urgency=medium

  * New upstream releases (1.13.11, 1.13.12)
  * Upstream changelogs can be found at https://nginx.org/en/CHANGES
  * Remaining Ubuntu-specific changes:
    - debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
    - d/{control,rules,nginx-core.*}: add new binary package for main,
      nginx-core, which contains only source-tarball-included modules
      and no third-party modules.
    - debian/tests/control: add nginx-core test.
    - debian/apport/source_nginx.py: Add apport hooks for additional bug
      information gathering.
    - debian/nginx-common.install: Add install rule for apport hooks.

 -- Thomas Ward <email address hidden>  Mon, 16 Apr 2018 11:43:01 -0400

nginx (1.13.10-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
    - d/{control,rules,nginx-core.*}: add new binary package for main,
      nginx-core, which contains only source-tarball-included modules
      and no third-party modules.
    - debian/tests/control: add nginx-core test.
    - debian/apport/source_nginx.py: Add apport hooks for additional bug
      information gathering.
    - debian/nginx-common.install: Add install rule for apport hooks.
  * Drop:
    - debian/patches/0002-Make-sure-signature-stays-the-same-in-
      all-nginx-buil.patch:  Refreshed patch - Merge-o-Matic introduced some
      fuzz which caused issues.
      [ Does not seem necessary ]
    - d/control: drop mention of SSL Preread from nginx-full, nginx-extras
      [ Previously undocumented ]
    - d/gbp.conf: update for 1.12 release
      [ Previously undocumented ]
    - d/p/0003-define_gnu_source-on-other-glibc-based-platforms.patch:
      Refresh patch.
      [ Previously undocumented ]

nginx (1.13.10-1) unstable; urgency=medium

  * New upstream version

nginx (1.13.9-1) unstable; urgency=medium

  [ Michael Lustfield ]
  * Remove non-uploading users

  [ Christos Trochalakis ]
  * New upstream version 1.13.9
  * Move packaging repository to salsa.debian.org
  * Bump Standards-Version to 4.1.3, no changes needed

nginx (1.13.8-1) unstable; urgency=medium

  * New upstream release.

nginx (1.13.7-1) unstable; urgency=medium

  [ Christos Trochalakis ]
  * New upstream version 1.13.7
  * Bump Standards-Version, no changes needed
  * debian/watch: switch to HTTPS for the upstream check

  [ Mpampis Kostas ]
  * Automate modules watch & upgrade process (Closes: #869499)

  [ Christos Trochalakis ]
  * Bits & pieces for ngxmod
  * http-headers-more-filter: Upgrade to 0.33
  * http-echo: Upgrade to 0.61
  * http-lua: Upgrade to 0.10.11
  * http-dav-ext: Upgrade to 0.1.0 (Closes: #878611)
  * http-fancyindex: Upgrade to 0.4.2
  * rtmp: Upgrade to 1.2.1 (Closes: #880718)

 -- Nishanth Aravamudan <email address hidden>  Thu, 05 Apr 2018 15:43:49 -0700

nginx (1.13.6-2ubuntu2) bionic; urgency=high

  * No change rebuild against openssl1.1.

 -- Dimitri John Ledkov <email address hidden>  Mon, 05 Feb 2018 16:51:17 +0000

nginx (1.13.6-2ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/patches/ubuntu-branding.patch: add Ubuntu branding (refreshed)
    - d/{control,rules,nginx-core.*}: add new binary package for main,
      nginx-core, which contains only source-tarball-included modules
      and no third-party modules.
    - debian/tests/control: add nginx-core test.
    - debian/apport/source_nginx.py: Add apport hooks for additional bug
      information gathering.
    - debian/nginx-common.install: Add install rule for apport hooks.
    - debian/rules: Alter build flags for cflags and ldflags to fix known
      fPIE / fPIC compilation issues (see nginx PPA bug for more details
      and information, LP: #1657596)
    - debian/patches/0002-Make-sure-signature-stays-the-same-in-
      all-nginx-buil.patch:  Refreshed patch - Merge-o-Matic introduced some
      fuzz which caused issues.

 -- Thomas Ward <email address hidden>  Tue, 12 Dec 2017 12:15:30 -0500

nginx (1.12.1-0ubuntu2) artful; urgency=medium

  * No-change rebuild for perl 5.26.0.

 -- Matthias Klose <email address hidden>  Wed, 26 Jul 2017 20:11:43 +0000