nginx.git, branch release-1.17.10

nginx-1.17.10-RELEASE

2020-04-14T14:19:26+00:00

Updated OpenSSL used for win32 builds.

2020-04-14T12:15:16+00:00

The new auth_delay directive for delaying unauthorized requests.

2020-04-07T22:02:17+00:00

The request processing is delayed by a timer.  Since nginx updates
internal time once at the start of each event loop iteration, this
normally ensures constant time delay, adding a mitigation from
time-based attacks.

A notable exception to this is the case when there are no additional
events before the timer expires.  To ensure constant-time processing
in this case as well, we trigger an additional event loop iteration
by posting a dummy event for the next event loop iteration.

Auth basic: explicitly zero out password buffer.

2020-03-12T23:12:10+00:00

Version bump.

2020-03-16T09:41:41+00:00

release-1.17.9 tag

2020-03-03T15:04:21+00:00

nginx-1.17.9-RELEASE

2020-03-03T15:04:21+00:00

Updated PCRE used for win32 builds.

2020-03-03T15:03:28+00:00

Simplified subrequest finalization.

2020-02-28T16:54:13+00:00

Now it looks similar to what it was before background subrequests were
introduced in 9552758a786e.

Fixed premature background subrequest finalization.

2020-03-02T17:07:36+00:00

When "aio" or "aio threads" is used while processing the response body of an
in-memory background subrequest, the subrequest could be finalized with an aio
operation still in progress.  Upon aio completion either parent request is
woken or the old r->write_event_handler is called again.  The latter may result
in request errors.  In either case post_subrequest handler is never called with
the full response body, which is typically expected when using in-memory
subrequests.

Currently in nginx background subrequests are created by the upstream module
and the mirror module.  The issue does not manifest itself with these
subrequests because they are header-only.  But it can manifest itself with
third-party modules which create in-memory background subrequests.