nginx.git, branch release-1.15.12 nginx nginx-1.15.12-RELEASE 2019-04-16T14:54:58+00:00 Maxim Dounin mdounin@mdounin.ru 2019-04-16T14:54:58+00:00 baa377ce76850a8bc3a70e7c6d20bf51de23a596 






Updated PCRE used for win32 builds.
2019-04-16T13:32:44+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-16T13:32:44+00:00

4ca32d6eb3e0d99e72cc325fd016007bf4caa864












Fixed incorrect length handling in ngx_utf8_length().
2019-04-15T17:14:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-15T17:14:07+00:00

f09eae2a7586c5149fe7eaa497c8ff1be684270f

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.





Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.







OCSP stapling: fixed segfault with dynamic certificate loading.
2019-04-15T16:13:09+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-15T16:13:09+00:00

5784889fb907485978919b91c2c7f6bf0c4843e3

If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.

The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().

Fix is to explicitly check SSL_get_certificate() result.





If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.

The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().

Fix is to explicitly check SSL_get_certificate() result.







Version bump.
2019-04-15T16:13:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-15T16:13:06+00:00

aaa1a5706033bd0e33de7beb237e52e2a19a3245












release-1.15.11 tag
2019-04-09T13:00:30+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-09T13:00:30+00:00

50e6faf2a45da885c4aed56775dfa1a09a007025












nginx-1.15.11-RELEASE
2019-04-09T13:00:30+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-09T13:00:30+00:00

9cbe05233918330212cbe4509e143de2197dbbb0












Win32: avoid using CFLAGS, just add define instead.
2019-04-04T19:56:41+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-04T19:56:41+00:00

09752fce1f04f95c05ac9cb275f91ee9ba72d564

With CFLAGS set as in 7da71a7b141a, OpenSSL compilation drops various
non-important compiler options.  To avoid this, a define is added
instead - OpenSSL is smart enough to recognize -D... in Configure
arguments.





With CFLAGS set as in 7da71a7b141a, OpenSSL compilation drops various
non-important compiler options.  To avoid this, a define is added
instead - OpenSSL is smart enough to recognize -D... in Configure
arguments.







Win32: defined pdb path.
2019-04-04T16:30:47+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-04-04T16:30:47+00:00

df8cb313697a9c2574db30be2e494656265c1f59

By default, MSVC uses vc<version>.pdb in the current directory.
With the "-Fd" switch it is directed to be in the objs directory instead.





By default, MSVC uses vc<version>.pdb in the current directory.
With the "-Fd" switch it is directed to be in the objs directory instead.







Win32: preserving binary compatibility with Windows XP - Vista.
2019-04-04T13:26:56+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-04-04T13:26:56+00:00

ce912de835153ce465b4a192e291ef0b96806baa

OpenSSL 1.1.0 and above uses BCrypt if available (Windows 7 or higher).
This results in an unusable binary on older Windows versions, when building
with newer Windows SDK (such as 7.0A).  Using CFLAGS to define _WIN32_WINNT
allows to set a desired ABI and make sure the binary works with Windows XP.

To not mix with other potential CFLAGS uses, it is set in GNUmakefile.





OpenSSL 1.1.0 and above uses BCrypt if available (Windows 7 or higher).
This results in an unusable binary on older Windows versions, when building
with newer Windows SDK (such as 7.0A).  Using CFLAGS to define _WIN32_WINNT
allows to set a desired ABI and make sure the binary works with Windows XP.

To not mix with other potential CFLAGS uses, it is set in GNUmakefile.