-
nginx (1.4.6-1ubuntu3.9) trusty-security; urgency=medium
* SECURITY UPDATE: infinite loop in ngx_http_mp4_module
- debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
src/http/modules/ngx_http_mp4_module.c.
- CVE-2018-16845
-- Marc Deslauriers <email address hidden> Tue, 06 Nov 2018 13:56:34 -0500
-
nginx (1.4.6-1ubuntu3.8) trusty-security; urgency=medium
* SECURITY UPDATE: integer overflow in range filter leading to
information exposure
- debian/patches/CVE-2017-7529.patch: add check to ensure size does
not overflow
- CVE-2017-7529
-- Steve Beattie <email address hidden> Wed, 12 Jul 2017 02:59:32 -0700
-
nginx (1.4.6-1ubuntu3.7) trusty-security; urgency=medium
* SECURITY REGRESSION: config upgrade failure (LP: #1637058)
- debian/nginx-common.config: fix return code so script doesn't exit.
-- Marc Deslauriers <email address hidden> Thu, 27 Oct 2016 10:42:53 -0400
-
nginx (1.4.6-1ubuntu3.6) trusty-security; urgency=medium
[ Christos Trochalakis ]
* debian/nginx-common.postinst:
+ Secure log file handling (owner & permissions) against privilege
escalation attacks. /var/log/nginx is now owned by root:adm.
Thanks Dawid Golunski (http://legalhackers.com) for the report.
Changing /var/log/nginx permissions effectively reopens #701112,
since log files can be world-readable. This is a trade-off until
a better log opening solution is implemented upstream (trac:376).
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2016 11:12:58 +0200
-
nginx (1.4.6-1ubuntu3.5) trusty-security; urgency=medium
* SECURITY UPDATE: Null pointer dereference while writing client request
body (LP: #1587577)
- debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
- CVE-2016-4450
-- Thomas Ward <email address hidden> Tue, 31 May 2016 20:23:03 -0400
-
nginx (1.4.6-1ubuntu3.4) trusty-security; urgency=medium
* SECURITY UPDATE: multiple resolver security issues (LP: #1538165)
- debian/patches/CVE-2016-074x-1.patch: fix possible segmentation fault
on DNS format error.
- debian/patches/CVE-2016-074x-2.patch: fix crashes in timeout handler.
- debian/patches/CVE-2016-074x-3.patch: fixed CNAME processing for
several requests.
- debian/patches/CVE-2016-074x-4.patch: change the
ngx_resolver_create_*_query() arguments.
- debian/patches/CVE-2016-074x-5.patch: fix use-after-free memory
accesses with CNAME.
- debian/patches/CVE-2016-074x-6.patch: limited CNAME recursion.
- CVE-2016-0742
- CVE-2016-0743
- CVE-2016-0744
-- Marc Deslauriers <email address hidden> Wed, 03 Feb 2016 09:12:00 -0500
-
nginx (1.4.6-1ubuntu3.3) trusty-proposed; urgency=medium
* debian/nginx-common.nginx.init: Fix pidfile extraction, due to multiple
failure cases, using Debian's solution. (LP: #1314740)
-- Thomas Ward <email address hidden> Wed, 29 Jul 2015 19:43:04 -0400
-
nginx (1.4.6-1ubuntu3.2) trusty-proposed; urgency=medium
* d/modules/nginx-http-push: Apply upstream bugfix. (LP: #1216817)
* src/ngx_http_push_module_setup.c: Modify push module code with
upstream changes to fix an issue with initialization when using
`fastcgi_cache` or `proxy_cache`.
* tests/nginx-cachemanager.conf: (new file) Include upstream change
of adding an nginx-cachemanager.conf file to the tests.
-- Thomas Ward <email address hidden> Mon, 09 Feb 2015 12:08:50 -0500
-
nginx (1.4.6-1ubuntu3.1) trusty-security; urgency=medium
* SECURITY UPDATE: incorrect cached SSL session reuse (LP: #1370478)
- debian/patches/CVE-2014-3616.patch: include hash of certificate in
session id context in src/event/ngx_event_openssl.c.
- CVE-2014-3616
-- Marc Deslauriers <email address hidden> Wed, 17 Sep 2014 08:56:46 -0400
-
nginx (1.4.6-1ubuntu3) trusty; urgency=medium
* Add new binary package for main, nginx-core, which contains only
source-tarball-included modules and no third-party modules.
* Changes to debian/ directory:
- control:
+ Add entry for nginx-core and nginx-core-dbg.
- rules:
+ Add nginx-core flavor to the build rules.
- nginx-core.*: Add new packaging files for nginx-core based on
the packaging files for nginx-full.
* The above changes satisfy the requirements for main (LP: #1262710)
-- Thomas Ward <email address hidden> Mon, 10 Mar 2014 18:23:36 -0400
-
nginx (1.4.6-1ubuntu2) trusty; urgency=medium
* debian/rules: Drop from -O3 to -O2 to work around a build failure.
-- Adam Conrad <email address hidden> Sun, 09 Mar 2014 11:49:28 -0600
-
nginx (1.4.6-1ubuntu1) trusty; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/ubuntu-branding.patch: Add Ubuntu branding.
nginx (1.4.6-1) unstable; urgency=medium
[ Christos Trochalakis ]
* New upstream release.
* debian/rules:
+ Avoid double declaration of hardening flags.
+ Expand buildflags so the build log is easier to follow.
+ Switch to --with--cc-opt, --with-ld-opt configure flags.
Nginx is now compiled with --Werror, making all warnings
into errors.
+ Split common configure options.
+ Enable realip module for nginx-light.
+ Enable debug module for nginx-light and nginx-extras.
* debian/patches/perl-use-dpkg-buildflags.patch:
+ Rewrite patch to just just override LDDLFLAGS and not
CCFLAGS since this is handled by --with-cc-opt.
* debian/watch, debian/upstream/signing-key.asc:
+ Fix upstream signature verification.
-- Adam Conrad <email address hidden> Sun, 09 Mar 2014 11:13:26 -0600
-
nginx (1.4.5-1ubuntu1) trusty; urgency=medium
* Resynchronise with Debian (LP: #1280511). Remaining changes:
- debian/patches/ubuntu-branding.patch:
+ Add Ubuntu branding to server_tokens.
nginx (1.4.5-1) unstable; urgency=medium
[ Christos Trochalakis ]
* New upstream release.
* debian/modules/nginx-lua:
+ Update nginx-lua to v0.9.4
* debian/nginx-naxsi-ui.preinst:
+ Fix exit status issue (Closes: #735152)
* debian/control:
+ Fix arch:all to arch:any dependencies
+ Make nginx depend on specific flavor version
* debian/nginx-*.postinst:
+ Make nginx start by default (Closes: #735551)
* debian/nginx-*.prerm:
+ No need to check for invoke-rc.d,
correctly set the exit code on error
* debian/nginx-common.nginx.init:
+ Rewrite some parts of the initscript
+ Introduce rotate command
+ Introduce upgrade command
nginx (1.4.4-4) unstable; urgency=medium
[ Christos Trochalakis ]
* debian/nginx-common.postinst:
+ Fix log re-opening issue due to wrong /var/log/nginx
permissions. (Closes: #734139)
nginx (1.4.4-3) unstable; urgency=medium
[ Christos Trochalakis ]
* debian/nginx-naxsi-ui.postinst:
+ Fix early exit issue (Closes: #715435)
-- Colin Watson <email address hidden> Sat, 15 Feb 2014 03:05:42 +0000
-
nginx (1.4.4-4ubuntu1) trusty; urgency=medium
* Resynchronise with Debian. Remaining changes:
- debian/patches/ubuntu-branding.patch:
+ Add Ubuntu branding to server_tokens.
nginx (1.4.4-4) unstable; urgency=medium
[ Christos Trochalakis ]
* debian/nginx-common.postinst:
+ Fix log re-opening issue due to wrong /var/log/nginx
permissions. (Closes: #734139)
nginx (1.4.4-3) unstable; urgency=medium
[ Christos Trochalakis ]
* debian/nginx-naxsi-ui.postinst:
+ Fix early exit issue (Closes: #715435)
-- Colin Watson <email address hidden> Wed, 08 Jan 2014 01:40:55 +0000
-
nginx (1.4.4-2ubuntu1) trusty; urgency=medium
* Resynchronise with Debian. Remaining changes:
- debian/patches/ubuntu-branding.patch:
+ Add Ubuntu branding to server_tokens.
nginx (1.4.4-2) unstable; urgency=low
[ Michael Lustfield ]
* debian/control:
+ Added Provides: httpd-cgi to packages. (Closes: #701508)
+ Added other options to nginx depends. (Closes: #729860)
+ Added Spdy to nginx-full package description.
* debian/nginx-common.nginx.init:
+ Added missing line from patch. (Closes: #728103)
* debian/conf/sites-available/default:
+ Changed ssl_protocols and ssl_ciphers. (Closes: 730142)
* debian/nginx-common.preinst:
+ Modify permissions of /var/log/nginx. (Closes: #701112)
* debian/rules:
+ Added spdy support to nginx-full. (Closes: #730432)
[ Christos Trochalakis ]
* debian/nginx-doc,docs, debian/nginx-common.NEWS:
+ Ship NEWS with nginx-common instead of nginx-doc.
* debian/conf/proxy_params:
+ Host header should be passed unmodified to the proxied server.
+ Pass X-Forwarded-Proto header to the proxied server.
* debian/control:
+ Fix nginx-naxsi-ui Depends and Conflicts lines.
[ Neutron Soutmun ]
* debian/patches/guard-use-of-deprecated-openssl-definition.patch:
+ Fix FTBFS against the recent libssl-dev. (Closes: #733107)
[ Kartik Mistry ]
* debian/control:
+ Updated to Standards-Version 3.9.5
* debian/watch, debian/upstream-signing-key.pgp:
+ Use upstream PGP signature to verify by watch file.
-- Colin Watson <email address hidden> Sat, 28 Dec 2013 10:21:44 +0000
-
nginx (1.4.4-1ubuntu1) trusty; urgency=low
* Resynchronise with Debian (LP: #1253691). Remaining changes:
- debian/patches/ubuntu-branding.patch:
+ Add Ubuntu branding to server_tokens.
nginx (1.4.4-1) unstable; urgency=low
[ Christos Trochalakis ]
* New upstream release. (Closes: #730012)
* debian/nginx-*.postinst:
+ Wait for the new master to write its pid file before sending QUIT to the
old master. This solves an issue with systemd and the upgrade mechanism.
Systemd receives the SIGCHLD from the old master but it can't see the new
pid because the new master has not written it yet. As a result, it kills
everything inside the cgroup, including the new master.
* debian/modules/ngx-fancyindex:
+ Upgrade Fancy Index module to v0.3.3 (Closes: #728721)
* debian/control:
+ Remove Upload module from nginx-extras description (Closes: #729003)
[ Michael Lustfield ]
* debian/control:
+ Added spdy to package description (Closes: #728038)
* debian/nginx-common.nginx.init:
+ Showing better start/stop messages. Thanks Pim van den Berg.
(Closes: #728103)
-- Colin Watson <email address hidden> Fri, 22 Nov 2013 12:23:25 +0000
-
nginx (1.4.3-2ubuntu1) trusty; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/patches/ubuntu-branding.patch:
+ Add Ubuntu branding to server_tokens.
nginx (1.4.3-2) unstable; urgency=low
[ Kartik Mistry ]
* Renamed debian/nginx-common.service to debian/nginx-common.nginx.service so
it is installed properly for systemd. Thanks to Christos Trochalakis.
* Set debian/compat to 9 and updated debhelper dependency.
[ Christos Trochalakis ]
* debian/rules, debian/nginx-common.dirs,
debian/debian-common.nginx.logrotate:
+ Switch to dh_installlogrotate.
* debian/rules:
+ *-stamp files are deleted by dh_clean.
+ Remove unused mime-types target.
+ Remove not needed config.sub and config.guess targets.
* debian/nginx-common.dirs:
+ Don't ship an empty /run dir.
* debian/nginx-{light,full,extras}.lintian-overrides:
+ Override false lintian spelling error warning.
nginx (1.4.3-1) unstable; urgency=low
[ Cyril Lavier ]
* debian/nginx-naxsi-ui.postinst, debian/nginx-naxsi-ui.preinst:
+ Added missing arguments to have clean postinst/preinst scripts.
* debian/conf/fastcgi_params:
+ Defined fastcgi param HTTPS the same as upstream default.
(Closes: #712989)
[ Michael Lustfield ]
* conf/sites-available/default:
+ Removed /doc/ section per bug #715804.
[ Christos Trochalakis ]
* New upstream release. (Closes: #722640)
* debian/nginx-common.nginx.init:
+ Better pidfile extraction from nginx.conf. We now accept multiple
spaces and tabs as a field separator.
* debian/modules/nginx-auth-pam:
+ Fixed upstream bug. (Closes: #721702)
* debian/watch:
+ Only check for stable releases.
* debian/conf/sites-available/default:
+ Correctly fallback to 404 when the requested file is missing.
(Closes: #724232)
* debian/logrotate:
+ Gracefully handle empty pidfile in logrotate script.
(Closes: #696797)
[ Kartik Mistry ]
* Switch to dh-systemd (Closes: #713853)
-- Colin Watson <email address hidden> Mon, 21 Oct 2013 13:26:52 +0100
-
nginx (1.4.1-3ubuntu1) saucy; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/patches/ubuntu-branding.patch:
+ Add Ubuntu branding to server_tokens.
nginx (1.4.1-3) unstable; urgency=low
[ Kartik Mistry ]
* debian/control:
+ Changed libgd2-dev build-dep to libgd2-dev|libgd2-noxpm-dev allow
backporting (Closes: #711505)
[ Cyril Lavier ]
* debian/nginx-naxsi-ui.preinst
+ Added argument "install" to the preinst script. (Closes: #711590)
-- Colin Watson <email address hidden> Thu, 20 Jun 2013 15:08:44 +0100
