-
nginx (1.22.0-1ubuntu1.1) kinetic-security; urgency=medium
* SECURITY UPDATE: memory corruption/disclosure issue
- debian/patches/CVE-2022-41741_41742.patch: disabled duplicate atoms in
Mp4
- CVE-2022-41741
- CVE-2022-41742
-- Nishit Majithia <email address hidden> Thu, 10 Nov 2022 12:10:13 +0530
-
nginx (1.22.0-1ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1982626). Remaining changes:
- d/p/ubuntu-branding.patch: add Ubuntu branding
- d/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- d/nginx-common.install: Add install rule for apport hooks.
- d/p/nginx-fix-pidfile.patch: Fix NGINX PIDfile handling to avoid
SystemD race condition - thanks to Tj for the patch. (LP #1581864)
- d/control: make nginx and nginx-full arch any, so that nginx-full
is no longer pulled into main because of i386 (LP #1893267)
- Remove the Lua modules from NGINX (Server Team Decision) - future support
for Lua module now requires resty-core from OpenResty, meaning that if
we want to continue to support the Lua module, we have to start becoming
OpenResty - users should just use OpenResty at this point for Lua.
Changes made for this removal:
+ d/control:
+ Remove lua module from dependencies, and binary build item.
+ Add "Breaks" line for nginx-lua for older versions of NGINX.
This is added to the nginx metapackage and nginx-extras.
+ d/rules: Remove Lua module from the build flags for -extras.
+ d/http-lua, d/modules/{,patches/,watch/}nginx-lua: Remove Lua
modules, watch file, module patches.
+ d/modules/control: Remove Lua module from definitions
+ d/copyright: Remove lua module.
+ d/tests/{control,lua/}: Remove Lua test entirely, remove
dependencies on any test which request
libnginx-mod-http-lua as it's gone.
- d/control: drop GeoIP from nginx-core due to demotion of libgeoip
(LP #1861101, LP #1867150):
+ remove libnginx-mod-http-geoip from nginx-core dependency
+ have nginx-core depend on libnginx-mod-stream-geoip2
instead of libnginx-mod-stream-geoip
+ adjust package descriptions accordingly
- d/control: (GeoIP2 related changes)
+ Update dependencies for http-geoip2 package to include libmaxminddb0.
+ Update nginx-core to include http-geoip2 module due to approved bin-MIR
(LP #1867198)
+ Move geoip2 module build flags to the common flags so all
package flavors have it.
+ Update dependencies for nginx-light, etc. to include
libnginx-mod-http-geoip2 as it's in the 'common build flags'
for all flavors of the builds.
+ Update package description for nginx-core to indicate geoip2
is included, and to list third party HTTP modules. GeoIP2
is not included for Stream by default, so we have to adjust
this because the Stream part isn't MIR'd.
* d/p/ubuntu-branding.patch: Reimplement patch to avoid conflicting on
(volatile) release version numbers when merging.
* d/m/p/http-subs-filter/pcre2.patch: Patch from debian 0d813834 to
fix FTBFS
* d/t/branding: Add autopkgtest to validate branding presence
-- Bryce Harrington <email address hidden> Fri, 22 Jul 2022 17:56:50 -0700
-
nginx (1.20.2-2ubuntu2) kinetic; urgency=medium
* d/http-lua: Remove another lua patch
-- Bryce Harrington <email address hidden> Fri, 15 Jul 2022 04:50:47 +0000
-
nginx (1.20.2-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/p/ubuntu-branding.patch: add Ubuntu branding
- d/apport/source_nginx.py: Add apport hooks for additional bug
information gathering.
- d/nginx-common.install: Add install rule for apport hooks.
- d/p/nginx-fix-pidfile.patch: Fix NGINX PIDfile handling to avoid
SystemD race condition - thanks to Tj for the patch. (LP #1581864)
- d/control: make nginx and nginx-full arch any, so that nginx-full
is no longer pulled into main because of i386 (LP #1893267)
- Remove the Lua modules from NGINX (Server Team Decision) - future support
for Lua module now requires resty-core from OpenResty, meaning that if
we want to continue to support the Lua module, we have to start becoming
OpenResty - users should just use OpenResty at this point for Lua.
Changes made for this removal:
+ d/control:
+ Remove lua module from dependencies, and binary build item.
+ Add "Breaks" line for nginx-lua for older versions of NGINX.
This is added to the nginx metapackage and nginx-extras.
+ d/rules: Remove Lua module from the build flags for -extras.
+ d/modules/{,patches/,watch/}nginx-lua: Remove Lua module, watch file,
module patches.
+ d/modules/control: Remove Lua module from definitions
+ d/copyright: Remove lua module.
+ d/tests/{control,lua/}: Remove Lua test entirely, remove
dependencies on any test which request
libnginx-mod-http-lua as it's gone.
- d/control: drop GeoIP from nginx-core due to demotion of libgeoip
(LP #1861101, LP #1867150):
+ remove libnginx-mod-http-geoip from nginx-core dependency
+ have nginx-core depend on libnginx-mod-stream-geoip2
instead of libnginx-mod-stream-geoip
+ adjust package descriptions accordingly
- d/control: (GeoIP2 related changes)
+ Update dependencies for http-geoip2 package to include libmaxminddb0.
+ Update nginx-core to include http-geoip2 module due to approved bin-MIR
(LP #1867198)
+ Move geoip2 module build flags to the common flags so all
package flavors have it.
+ Update dependencies for nginx-light, etc. to include
libnginx-mod-http-geoip2 as it's in the 'common build flags'
for all flavors of the builds.
+ Update package description for nginx-core to indicate geoip2
is included, and to list third party HTTP modules. GeoIP2
is not included for Stream by default, so we have to adjust
this because the Stream part isn't MIR'd.
* d/p/ubuntu-branding.patch: Refresh
* Dropped:
- DNS Resolver Off-by-One Heap Write
+ debian/patches/CVE-2021-23017.patch: fix logic in
src/core/ngx_resolver.c.
[Not needed: Replaced by upstream patches in separate commit]
- DNS Resolver issues
+ debian/patches/CVE-2021-23017-1.patch: fixed off-by-one write in
src/core/ngx_resolver.c.
+ debian/patches/CVE-2021-23017-2.patch: fixed off-by-one read in
src/core/ngx_resolver.c.
+ debian/patches/CVE-2021-23017.patch: removed, replaced with upstream
commits.
[Included in upstream release 1.20.1]
- ALPACA TLS issue
+ debian/patches/CVE-2021-3618.patch: specify the number of
errors after which the connection is closed in
src/mail/ngx_mail.h, src/mail/ngx_mail_core_module.c and
src/mail/ngx_mail_handler.c.
[Included in Debian release 1.20.2-2]
-- Bryce Harrington <email address hidden> Tue, 12 Jul 2022 10:23:53 -0700
-
nginx (1.18.0-6ubuntu14.1) jammy-security; urgency=medium
* SECURITY UPDATE: ALPACA TLS issue
- debian/patches/CVE-2021-3618.patch: specify the number of
errors after which the connection is closed in
src/mail/ngx_mail.h, src/mail/ngx_mail_core_module.c and
src/mail/ngx_mail_handler.c.
- CVE-2021-3618
-- David Fernandez Gonzalez <email address hidden> Wed, 27 Apr 2022 12:56:57 +0200
-
nginx (1.18.0-6ubuntu14) jammy; urgency=medium
* No-change rebuild to update maintainer scripts, see LP: 1959054
-- Dave Jones <email address hidden> Wed, 16 Feb 2022 17:10:20 +0000
