From ecd0fc5d81541e1263a7cc35c632242e33c4082e Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Tue, 16 Feb 2021 18:54:00 +0300 Subject: Version bump. --- docs/changes.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 6cf8e849..02a8653f 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -5,6 +5,14 @@ + + + + + + -- cgit From 1950d0aee2bc95f1cb6a07349f11eb5e5f6edf5c Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Tue, 2 Mar 2021 19:33:37 +0300 Subject: Closing app outgoing shared memory file descriptor. This fixes file descriptor leakage in router. Shared memory file used to send data from router to application. These files are shared among all processes of same application and router keeps the opened file descriptor since 06017e6e3a5f commit. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 02a8653f..b8c76089 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -9,6 +9,12 @@ date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +a descriptor leak occurring in the router process when removing or +reconfiguring an application; the bug had appeared in 1.19.0. + + -- cgit From a1107e859b5f401261d378fc251667bcf2272536 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Mon, 15 Mar 2021 14:57:01 +0300 Subject: Fixed TLS connection shutdown on errors. An immediate return statement on connection errors was mistakenly added to the beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS connection finalization procedure. As a result, a TLS connection was left unfinalized if it had been closed prematurely or a fatal protocol error had occurred, which caused memory and socket descriptor leakage. Moreover, in some cases (notably, on handshake errors in tests with kqueue on macOS) the read event was triggered later and nxt_h1p_conn_error() was called the second time; after the change in af93c866b4f0, the latter call crashed the router process in an attempt to remove a connection from the idle queue twice. --- docs/changes.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index b8c76089..d9d25e5c 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -9,6 +9,20 @@ date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +the router process could crash on premature TLS connection close; the bug had +appeared in 1.17.0. + + + + + +a connection leak occurring on premature TLS connection close; the bug had +appeared in 1.6. + + + a descriptor leak occurring in the router process when removing or -- cgit From b0a1266835386590c65ec433759c5cc1063bd472 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Mon, 15 Mar 2021 14:57:31 +0300 Subject: Fixed certificates loading on startup with some filesystems. It appears that readdir() on Linux detects file types unreliably, always setting the "d_type" field to DT_UNKNOWN for some less common filesystems. As a result, all files were skipped and no certificate bundles were found when the state directory was located on such filesystems. Skipping "." and ".." instead of any non-regular files should be enough, as no other non-regular files normally appear in this directory. This closes #368 issue on GitHub. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index d9d25e5c..07decb2a 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -30,6 +30,13 @@ reconfiguring an application; the bug had appeared in 1.19.0. + + +persistent storage of certificates might've not worked with some filesystems in +Linux, and all uploaded certificate bundles were forgotten after restart. + + + -- cgit From 4c261a7ff8f2b2af08cc2cdee6828af4a1cf7794 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Mon, 15 Mar 2021 15:03:32 +0300 Subject: Ruby: fixed encodings initialization. The Ruby interpreter expects an explicit setlocale() call before initialization to pick up character encodings in the "Encoding" class from the environment. This closes #531 issue on GitHub. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 07decb2a..2f68083d 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -37,6 +37,12 @@ Linux, and all uploaded certificate bundles were forgotten after restart. + + +the Ruby module didn't respect user locale for defaults in the Encoding class. + + + -- cgit From 99337728edbc38ac979b0f23805dbe74920a6bc2 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Mon, 15 Mar 2021 15:03:32 +0300 Subject: Fixed building the PHP 5 module with ZTS, broken by dab8544b5440. This closes #525 issue on GitHub. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 2f68083d..22adc2dd 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -43,6 +43,13 @@ the Ruby module didn't respect user locale for defaults in the Encoding class. + + +the PHP 5 module failed to build with thread safety enabled; the bug had +appeared in 1.22.0. + + + -- cgit From f18a41c84bb573607eaab9fec0c070cd159493f0 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Wed, 24 Mar 2021 16:38:05 +0300 Subject: Certficates: fixed counting DNS SAN entries. Previously, entries of any type were counted during object allocation but only DNS type entries were actually processed. As a result, if some certificate entries had another type, returning information about the certificate caused uninitialized memory access. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 22adc2dd..ad963c40 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -37,6 +37,13 @@ Linux, and all uploaded certificate bundles were forgotten after restart. + + +the controller process could crash while requesting information about a +certificate with a non-DNS SAN entry. + + + the Ruby module didn't respect user locale for defaults in the Encoding class. -- cgit From 699a3ea2ebc86f9e9dc9d59e1d9db488ac4ff352 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Wed, 24 Mar 2021 16:55:47 +0300 Subject: Certificates: fixed in name attributes processing. The idea is to put SAN after CN, but the previous version of the code incorrectly assumed that CN was always present, which caused writes outside the allocated object if there were no standard name attributes. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index ad963c40..3c25481a 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -44,6 +44,13 @@ certificate with a non-DNS SAN entry. + + +the controller process could crash on manipulations with a certificate +containing a SAN and no standart name attributes in subject or issuer. + + + the Ruby module didn't respect user locale for defaults in the Encoding class. -- cgit From b33babcedaa032b901aa37aa57da46e6116509f0 Mon Sep 17 00:00:00 2001 From: Konstantin Pavlov Date: Wed, 24 Mar 2021 18:45:45 +0300 Subject: Added build system support for a man page. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 3c25481a..009866bb 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -9,6 +9,12 @@ date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +"--mandir" ./configure option to specify the directory for man page installation. + + + the router process could crash on premature TLS connection close; the bug had -- cgit From d2b0882d89f29fea84b457e0709b6980c8a30a57 Mon Sep 17 00:00:00 2001 From: Andrey Suvorov Date: Wed, 24 Mar 2021 13:19:36 -0700 Subject: Added ability to configure multiple certificates on a listener. The certificate is selected by matching the arriving SNI to the common name and the alternatives names. If no certificate matches the name, the first bundle in the array is chosen. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 009866bb..cca6bbc4 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -9,6 +9,13 @@ date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +support for multiple certificate bundles on a listener via Server Name +Indication (SNI) TLS extension. + + + "--mandir" ./configure option to specify the directory for man page installation. -- cgit From b8052b050e0111400c59f35e76c013d8ee553ea9 Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Thu, 25 Mar 2021 16:55:16 +0300 Subject: Fixing shm buffer leakage when sending over the port queue. When the shm buffer is sent over the port queue, it needs to be completed because it's sent over the port socket. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index cca6bbc4..89c4630d 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -36,6 +36,13 @@ appeared in 1.6. + + +a descriptor and memory leak occurring in the router process when processing +small WebSocket frames from a client; the bug had appeared in 1.19.0. + + + a descriptor leak occurring in the router process when removing or -- cgit From 0e91854ad470b760f1814baa565e8dfdc28d2282 Mon Sep 17 00:00:00 2001 From: Artem Konev Date: Thu, 25 Mar 2021 14:03:45 +0000 Subject: Fixed wording in docs/changes.xml for the 1.23.0 release. --- docs/changes.xml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 89c4630d..7b27caf0 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -11,14 +11,15 @@ -support for multiple certificate bundles on a listener via Server Name +support for multiple certificate bundles on a listener via the Server Name Indication (SNI) TLS extension. -"--mandir" ./configure option to specify the directory for man page installation. +"--mandir" ./configure option to specify the directory for man page +installation. @@ -31,21 +32,21 @@ appeared in 1.17.0. -a connection leak occurring on premature TLS connection close; the bug had +a connection leak occurred on premature TLS connection close; the bug had appeared in 1.6. -a descriptor and memory leak occurring in the router process when processing +a descriptor and memory leak occurred in the router process when processing small WebSocket frames from a client; the bug had appeared in 1.19.0. -a descriptor leak occurring in the router process when removing or +a descriptor leak occurred in the router process when removing or reconfiguring an application; the bug had appeared in 1.19.0. @@ -67,13 +68,14 @@ certificate with a non-DNS SAN entry. the controller process could crash on manipulations with a certificate -containing a SAN and no standart name attributes in subject or issuer. +containing a SAN and no standard name attributes in subject or issuer. -the Ruby module didn't respect user locale for defaults in the Encoding class. +the Ruby module didn't respect the user locale for defaults in the Encoding +class. -- cgit From 6ecc9e81980550a35183cd19640da1982f10f28a Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Thu, 25 Mar 2021 17:14:27 +0300 Subject: Added version 1.23.0 CHANGES. --- docs/changes.xml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 7b27caf0..7656c15a 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -5,8 +5,30 @@ + + + + +NGINX Unit updated to 1.23.0. + + + + + + -- cgit