Skip to content

Commit 8ba170f

Browse files
webcppwebcpp
committed
update nginx to 1.27.4
1 parent 6e28307 commit 8ba170f

32 files changed

+1312
-112
lines changed

CHANGES

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,34 @@
11

2+
Changes with nginx 1.27.4 05 Feb 2025
3+
4+
*) Security: insufficient check in virtual servers handling with TLSv1.3
5+
SNI allowed to reuse SSL sessions in a different virtual server, to
6+
bypass client SSL certificates verification (CVE-2025-23419).
7+
8+
*) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",
9+
"proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
10+
"uwsgi_ssl_certificate_cache" directives.
11+
12+
*) Feature: the "keepalive_min_timeout" directive.
13+
14+
*) Workaround: "gzip filter failed to use preallocated memory" alerts
15+
appeared in logs when using zlib-ng.
16+
17+
*) Bugfix: nginx could not build libatomic library using the library
18+
sources if the --with-libatomic=DIR option was used.
19+
20+
*) Bugfix: QUIC connection might not be established when using 0-RTT;
21+
the bug had appeared in 1.27.1.
22+
23+
*) Bugfix: nginx now ignores QUIC version negotiation packets from
24+
clients.
25+
26+
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
27+
ngx_http_v3_module.
28+
29+
*) Bugfixes in HTTP/3.
30+
31+
232
Changes with nginx 1.27.3 26 Nov 2024
333

434
*) Feature: the "server" directive in the "upstream" block supports the

CHANGES.ru

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,35 @@
11

2+
Изменения в nginx 1.27.4 05.02.2025
3+
4+
*) Безопасность: недостаточная проверка в обработке виртуальных серверов
5+
при использовании SNI в TLSv1.3 позволяла повторно использовать
6+
SSL-сессию в контексте другого виртуального сервера, чтобы обойти
7+
проверку клиентских SSL-сертификатов (CVE-2025-23419).
8+
9+
*) Добавление: директивы ssl_object_cache_inheritable,
10+
ssl_certificate_cache, proxy_ssl_certificate_cache,
11+
grpc_ssl_certificate_cache и uwsgi_ssl_certificate_cache.
12+
13+
*) Добавление: директива keepalive_min_timeout.
14+
15+
*) Изменение: при использовании zlib-ng в логах появлялись сообщения
16+
"gzip filter failed to use preallocated memory".
17+
18+
*) Исправление: nginx не мог собрать библиотеку libatomic из исходных
19+
текстов, если использовался параметр --with-libatomic=DIR.
20+
21+
*) Исправление: могла происходить ошибка установления соединения при
22+
использовании 0-RTT в QUIC; ошибка появилась в 1.27.1.
23+
24+
*) Исправление: теперь nginx игнорирует пакеты согласования версий QUIC
25+
от клиентов.
26+
27+
*) Исправление: nginx не собирался на Solaris 10 и более ранних с
28+
модулем ngx_http_v3_module.
29+
30+
*) Исправления в HTTP/3.
31+
32+
233
Изменения в nginx 1.27.3 26.11.2024
334

435
*) Добавление: директива server в блоке upstream поддерживает параметр

LICENSE

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
Copyright (C) 2002-2021 Igor Sysoev
2-
Copyright (C) 2011-2024 Nginx, Inc.
2+
Copyright (C) 2011-2025 Nginx, Inc.
33
All rights reserved.
44

55
Redistribution and use in source and binary forms, with or without

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,9 @@
1212
```shell
1313

1414
--add-module=module/ngx_http_autoblacklist_module \
15-
--with-http-hi-lua-version=lua5.3 \
15+
--with-http-hi-lua-version=lua5.4 \
1616
--add-module=module/ngx_http_lua_module \
17-
--with-http-hi-python-version=python-3.8-embed \
17+
--with-http-hi-python-version=python-3.10-embed \
1818
--add-module=module/ngx_http_py_module \
1919
--add-module=module/ngx_http_java_module \
2020
--add-module=module/ngx_http_cpp_module

SECURITY.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,7 @@ limiting, or buffer size configurations, or applying changes is impractical.
6969
Availability issues excluded from the security release process:
7070
- Local file content or upstream response content resulting only in worker
7171
process termination.
72-
- Issues with experimental features which result only in worker process
73-
termination.
72+
- Issues with experimental features which result only in availability impact.
7473

7574
## Trusted Configurations and Misconfigurations
7675

auto/lib/libatomic/conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@ if [ $NGX_LIBATOMIC != YES ]; then
77

88
have=NGX_HAVE_LIBATOMIC . auto/have
99
CORE_INCS="$CORE_INCS $NGX_LIBATOMIC/src"
10-
LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/src/libatomic_ops.a"
11-
CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/src/libatomic_ops.a"
10+
LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
11+
CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
1212

1313
else
1414

auto/lib/libatomic/make

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,19 @@
33
# Copyright (C) Nginx, Inc.
44

55

6+
case $NGX_LIBATOMIC in
7+
/*) ngx_prefix="$NGX_LIBATOMIC/build" ;;
8+
*) ngx_prefix="$PWD/$NGX_LIBATOMIC/build" ;;
9+
esac
10+
611
cat << END >> $NGX_MAKEFILE
712

8-
$NGX_LIBATOMIC/src/libatomic_ops.a: $NGX_LIBATOMIC/Makefile
9-
cd $NGX_LIBATOMIC && \$(MAKE)
13+
$NGX_LIBATOMIC/build/lib/libatomic_ops.a: $NGX_LIBATOMIC/Makefile
14+
cd $NGX_LIBATOMIC && \$(MAKE) && \$(MAKE) install
1015

1116
$NGX_LIBATOMIC/Makefile: $NGX_MAKEFILE
1217
cd $NGX_LIBATOMIC \\
1318
&& if [ -f Makefile ]; then \$(MAKE) distclean; fi \\
14-
&& ./configure
19+
&& ./configure --prefix=$ngx_prefix
1520

1621
END

src/core/nginx.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@
99
#define _NGINX_H_INCLUDED_
1010

1111

12-
#define nginx_version 1027003
13-
#define NGINX_VERSION "1.27.3"
12+
#define nginx_version 1027004
13+
#define NGINX_VERSION "1.27.4"
1414
#define NGINX_VER "nginx/" NGINX_VERSION
1515

1616
#ifdef NGX_BUILD

src/core/ngx_core.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ typedef struct ngx_event_aio_s ngx_event_aio_t;
2626
typedef struct ngx_connection_s ngx_connection_t;
2727
typedef struct ngx_thread_task_s ngx_thread_task_t;
2828
typedef struct ngx_ssl_s ngx_ssl_t;
29+
typedef struct ngx_ssl_cache_s ngx_ssl_cache_t;
2930
typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
3031
typedef struct ngx_quic_stream_s ngx_quic_stream_t;
3132
typedef struct ngx_ssl_connection_s ngx_ssl_connection_t;

src/event/ngx_event_openssl.c

Lines changed: 29 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -562,15 +562,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
562562

563563
ngx_int_t
564564
ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
565-
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords)
565+
ngx_str_t *cert, ngx_str_t *key, ngx_ssl_cache_t *cache,
566+
ngx_array_t *passwords)
566567
{
567568
char *err;
568569
X509 *x509;
570+
u_long n;
569571
EVP_PKEY *pkey;
572+
ngx_uint_t mask;
570573
STACK_OF(X509) *chain;
571574

572-
chain = ngx_ssl_cache_connection_fetch(pool, NGX_SSL_CACHE_CERT, &err,
573-
cert, NULL);
575+
mask = 0;
576+
577+
retry:
578+
579+
chain = ngx_ssl_cache_connection_fetch(cache, pool,
580+
NGX_SSL_CACHE_CERT | mask,
581+
&err, cert, NULL);
574582
if (chain == NULL) {
575583
if (err != NULL) {
576584
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
@@ -610,8 +618,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
610618

611619
#endif
612620

613-
pkey = ngx_ssl_cache_connection_fetch(pool, NGX_SSL_CACHE_PKEY, &err,
614-
key, passwords);
621+
pkey = ngx_ssl_cache_connection_fetch(cache, pool,
622+
NGX_SSL_CACHE_PKEY | mask,
623+
&err, key, passwords);
615624
if (pkey == NULL) {
616625
if (err != NULL) {
617626
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
@@ -623,9 +632,23 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
623632
}
624633

625634
if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) {
635+
EVP_PKEY_free(pkey);
636+
637+
/* there can be mismatched pairs on uneven cache update */
638+
639+
n = ERR_peek_last_error();
640+
641+
if (ERR_GET_LIB(n) == ERR_LIB_X509
642+
&& ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
643+
&& mask == 0)
644+
{
645+
ERR_clear_error();
646+
mask = NGX_SSL_CACHE_INVALIDATE;
647+
goto retry;
648+
}
649+
626650
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
627651
"SSL_use_PrivateKey(\"%s\") failed", key->data);
628-
EVP_PKEY_free(pkey);
629652
return NGX_ERROR;
630653
}
631654

0 commit comments

Comments
 (0)