nginxtra 1.6.1.9 → 1.6.2.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/nginxtra +1 -1
- data/bin/nginxtra_rails +1 -1
- data/lib/nginxtra/version.rb +1 -1
- data/vendor/nginx/CHANGES +14 -0
- data/vendor/nginx/CHANGES.ru +15 -0
- data/vendor/nginx/src/core/nginx.h +2 -2
- data/vendor/nginx/src/core/ngx_resolver.c +43 -10
- data/vendor/nginx/src/event/ngx_event_openssl.c +96 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 95fc93bf35b0b2b30b7bf3e04fc69db463900cac
|
|
4
|
+
data.tar.gz: da5eceb301f5315cd7a956e5470abee1f5e13b86
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d0922b2d2e79afaed0e00bf3448abae693f7313d0bb71a24cac15e7e4c0c4cc420520758f584e84dcf3123030de6a1d013cad83c7f0dd59f1a6923d7361c7168
|
|
7
|
+
data.tar.gz: 4ac8159c70253cde0edf50f09c3c5a1b6ee2221c1a7ce29c60d092bd7676fe71b09c5345ee73410257df3f45eedde6bb5bd17c89a300a49c195977558abf2f6e
|
data/bin/nginxtra
CHANGED
data/bin/nginxtra_rails
CHANGED
data/lib/nginxtra/version.rb
CHANGED
data/vendor/nginx/CHANGES
CHANGED
|
@@ -1,4 +1,18 @@
|
|
|
1
1
|
|
|
2
|
+
Changes with nginx 1.6.2 16 Sep 2014
|
|
3
|
+
|
|
4
|
+
*) Security: it was possible to reuse SSL sessions in unrelated contexts
|
|
5
|
+
if a shared SSL session cache or the same TLS session ticket key was
|
|
6
|
+
used for multiple "server" blocks (CVE-2014-3616).
|
|
7
|
+
Thanks to Antoine Delignat-Lavaud.
|
|
8
|
+
|
|
9
|
+
*) Bugfix: requests might hang if resolver was used and a DNS server
|
|
10
|
+
returned a malformed response; the bug had appeared in 1.5.8.
|
|
11
|
+
|
|
12
|
+
*) Bugfix: requests might hang if resolver was used and a timeout
|
|
13
|
+
occurred during a DNS request.
|
|
14
|
+
|
|
15
|
+
|
|
2
16
|
Changes with nginx 1.6.1 05 Aug 2014
|
|
3
17
|
|
|
4
18
|
*) Security: pipelined commands were not discarded after STARTTLS
|
data/vendor/nginx/CHANGES.ru
CHANGED
|
@@ -1,4 +1,19 @@
|
|
|
1
1
|
|
|
2
|
+
Изменения в nginx 1.6.2 16.09.2014
|
|
3
|
+
|
|
4
|
+
*) Безопасность: при использовании общего для нескольких блоков server
|
|
5
|
+
разделяемого кэша SSL-сессий или общего ключа для шифрования TLS
|
|
6
|
+
session tickets было возможно повторно использовать SSL-сессию в
|
|
7
|
+
контексте другого блока server (CVE-2014-3616).
|
|
8
|
+
Спасибо Antoine Delignat-Lavaud.
|
|
9
|
+
|
|
10
|
+
*) Исправление: запросы могли зависать, если использовался resolver и
|
|
11
|
+
DNS-сервер возвращал некорректный ответ; ошибка появилась в 1.5.8.
|
|
12
|
+
|
|
13
|
+
*) Исправление: запросы могли зависать, если использовался resolver и в
|
|
14
|
+
процессе обращения к DNS-серверу происходил таймаут.
|
|
15
|
+
|
|
16
|
+
|
|
2
17
|
Изменения в nginx 1.6.1 05.08.2014
|
|
3
18
|
|
|
4
19
|
*) Безопасность: pipelined-команды не отбрасывались после команды
|
|
@@ -417,7 +417,7 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
|
|
|
417
417
|
|
|
418
418
|
/* lock name mutex */
|
|
419
419
|
|
|
420
|
-
if (ctx->state == NGX_AGAIN
|
|
420
|
+
if (ctx->state == NGX_AGAIN) {
|
|
421
421
|
|
|
422
422
|
hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
|
|
423
423
|
|
|
@@ -664,7 +664,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
|
|
|
664
664
|
}
|
|
665
665
|
|
|
666
666
|
ctx->event->handler = ngx_resolver_timeout_handler;
|
|
667
|
-
ctx->event->data =
|
|
667
|
+
ctx->event->data = rn;
|
|
668
668
|
ctx->event->log = r->log;
|
|
669
669
|
ctx->ident = -1;
|
|
670
670
|
|
|
@@ -857,7 +857,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
|
|
|
857
857
|
}
|
|
858
858
|
|
|
859
859
|
ctx->event->handler = ngx_resolver_timeout_handler;
|
|
860
|
-
ctx->event->data =
|
|
860
|
+
ctx->event->data = rn;
|
|
861
861
|
ctx->event->log = r->log;
|
|
862
862
|
ctx->ident = -1;
|
|
863
863
|
|
|
@@ -949,7 +949,7 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
|
|
|
949
949
|
|
|
950
950
|
/* lock addr mutex */
|
|
951
951
|
|
|
952
|
-
if (ctx->state == NGX_AGAIN
|
|
952
|
+
if (ctx->state == NGX_AGAIN) {
|
|
953
953
|
|
|
954
954
|
switch (ctx->addr.sockaddr->sa_family) {
|
|
955
955
|
|
|
@@ -1467,7 +1467,6 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1467
1467
|
goto failed;
|
|
1468
1468
|
}
|
|
1469
1469
|
|
|
1470
|
-
rn->naddrs6 = 0;
|
|
1471
1470
|
qident = (rn->query6[0] << 8) + rn->query6[1];
|
|
1472
1471
|
|
|
1473
1472
|
break;
|
|
@@ -1482,7 +1481,6 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1482
1481
|
goto failed;
|
|
1483
1482
|
}
|
|
1484
1483
|
|
|
1485
|
-
rn->naddrs = 0;
|
|
1486
1484
|
qident = (rn->query[0] << 8) + rn->query[1];
|
|
1487
1485
|
}
|
|
1488
1486
|
|
|
@@ -1507,6 +1505,8 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1507
1505
|
|
|
1508
1506
|
case NGX_RESOLVE_AAAA:
|
|
1509
1507
|
|
|
1508
|
+
rn->naddrs6 = 0;
|
|
1509
|
+
|
|
1510
1510
|
if (rn->naddrs == (u_short) -1) {
|
|
1511
1511
|
goto next;
|
|
1512
1512
|
}
|
|
@@ -1519,6 +1519,8 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1519
1519
|
|
|
1520
1520
|
default: /* NGX_RESOLVE_A */
|
|
1521
1521
|
|
|
1522
|
+
rn->naddrs = 0;
|
|
1523
|
+
|
|
1522
1524
|
if (rn->naddrs6 == (u_short) -1) {
|
|
1523
1525
|
goto next;
|
|
1524
1526
|
}
|
|
@@ -1539,6 +1541,8 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1539
1541
|
|
|
1540
1542
|
case NGX_RESOLVE_AAAA:
|
|
1541
1543
|
|
|
1544
|
+
rn->naddrs6 = 0;
|
|
1545
|
+
|
|
1542
1546
|
if (rn->naddrs == (u_short) -1) {
|
|
1543
1547
|
rn->code = (u_char) code;
|
|
1544
1548
|
goto next;
|
|
@@ -1548,6 +1552,8 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1548
1552
|
|
|
1549
1553
|
default: /* NGX_RESOLVE_A */
|
|
1550
1554
|
|
|
1555
|
+
rn->naddrs = 0;
|
|
1556
|
+
|
|
1551
1557
|
if (rn->naddrs6 == (u_short) -1) {
|
|
1552
1558
|
rn->code = (u_char) code;
|
|
1553
1559
|
goto next;
|
|
@@ -1817,6 +1823,25 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|
|
1817
1823
|
}
|
|
1818
1824
|
}
|
|
1819
1825
|
|
|
1826
|
+
switch (qtype) {
|
|
1827
|
+
|
|
1828
|
+
#if (NGX_HAVE_INET6)
|
|
1829
|
+
case NGX_RESOLVE_AAAA:
|
|
1830
|
+
|
|
1831
|
+
if (rn->naddrs6 == (u_short) -1) {
|
|
1832
|
+
rn->naddrs6 = 0;
|
|
1833
|
+
}
|
|
1834
|
+
|
|
1835
|
+
break;
|
|
1836
|
+
#endif
|
|
1837
|
+
|
|
1838
|
+
default: /* NGX_RESOLVE_A */
|
|
1839
|
+
|
|
1840
|
+
if (rn->naddrs == (u_short) -1) {
|
|
1841
|
+
rn->naddrs = 0;
|
|
1842
|
+
}
|
|
1843
|
+
}
|
|
1844
|
+
|
|
1820
1845
|
if (rn->naddrs != (u_short) -1
|
|
1821
1846
|
#if (NGX_HAVE_INET6)
|
|
1822
1847
|
&& rn->naddrs6 != (u_short) -1
|
|
@@ -2766,13 +2791,21 @@ done:
|
|
|
2766
2791
|
static void
|
|
2767
2792
|
ngx_resolver_timeout_handler(ngx_event_t *ev)
|
|
2768
2793
|
{
|
|
2769
|
-
ngx_resolver_ctx_t
|
|
2794
|
+
ngx_resolver_ctx_t *ctx, *next;
|
|
2795
|
+
ngx_resolver_node_t *rn;
|
|
2770
2796
|
|
|
2771
|
-
|
|
2797
|
+
rn = ev->data;
|
|
2798
|
+
ctx = rn->waiting;
|
|
2799
|
+
rn->waiting = NULL;
|
|
2772
2800
|
|
|
2773
|
-
|
|
2801
|
+
do {
|
|
2802
|
+
ctx->state = NGX_RESOLVE_TIMEDOUT;
|
|
2803
|
+
next = ctx->next;
|
|
2774
2804
|
|
|
2775
|
-
|
|
2805
|
+
ctx->handler(ctx);
|
|
2806
|
+
|
|
2807
|
+
ctx = next;
|
|
2808
|
+
} while (ctx);
|
|
2776
2809
|
}
|
|
2777
2810
|
|
|
2778
2811
|
|
|
@@ -27,6 +27,8 @@ static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
|
|
|
27
27
|
ngx_err_t err, char *text);
|
|
28
28
|
static void ngx_ssl_clear_error(ngx_log_t *log);
|
|
29
29
|
|
|
30
|
+
static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
|
|
31
|
+
ngx_str_t *sess_ctx);
|
|
30
32
|
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
|
|
31
33
|
static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
|
|
32
34
|
ngx_ssl_session_t *sess);
|
|
@@ -1729,13 +1731,15 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
|
|
|
1729
1731
|
|
|
1730
1732
|
SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
|
|
1731
1733
|
|
|
1734
|
+
if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) {
|
|
1735
|
+
return NGX_ERROR;
|
|
1736
|
+
}
|
|
1737
|
+
|
|
1732
1738
|
if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
|
|
1733
1739
|
SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
|
|
1734
1740
|
return NGX_OK;
|
|
1735
1741
|
}
|
|
1736
1742
|
|
|
1737
|
-
SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
|
|
1738
|
-
|
|
1739
1743
|
if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
|
|
1740
1744
|
|
|
1741
1745
|
/*
|
|
@@ -1792,6 +1796,96 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
|
|
|
1792
1796
|
}
|
|
1793
1797
|
|
|
1794
1798
|
|
|
1799
|
+
static ngx_int_t
|
|
1800
|
+
ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx)
|
|
1801
|
+
{
|
|
1802
|
+
int n, i;
|
|
1803
|
+
X509 *cert;
|
|
1804
|
+
X509_NAME *name;
|
|
1805
|
+
EVP_MD_CTX md;
|
|
1806
|
+
unsigned int len;
|
|
1807
|
+
STACK_OF(X509_NAME) *list;
|
|
1808
|
+
u_char buf[EVP_MAX_MD_SIZE];
|
|
1809
|
+
|
|
1810
|
+
/*
|
|
1811
|
+
* Session ID context is set based on the string provided,
|
|
1812
|
+
* the server certificate, and the client CA list.
|
|
1813
|
+
*/
|
|
1814
|
+
|
|
1815
|
+
EVP_MD_CTX_init(&md);
|
|
1816
|
+
|
|
1817
|
+
if (EVP_DigestInit_ex(&md, EVP_sha1(), NULL) == 0) {
|
|
1818
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1819
|
+
"EVP_DigestInit_ex() failed");
|
|
1820
|
+
goto failed;
|
|
1821
|
+
}
|
|
1822
|
+
|
|
1823
|
+
if (EVP_DigestUpdate(&md, sess_ctx->data, sess_ctx->len) == 0) {
|
|
1824
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1825
|
+
"EVP_DigestUpdate() failed");
|
|
1826
|
+
goto failed;
|
|
1827
|
+
}
|
|
1828
|
+
|
|
1829
|
+
cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
|
|
1830
|
+
|
|
1831
|
+
if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
|
|
1832
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1833
|
+
"X509_digest() failed");
|
|
1834
|
+
goto failed;
|
|
1835
|
+
}
|
|
1836
|
+
|
|
1837
|
+
if (EVP_DigestUpdate(&md, buf, len) == 0) {
|
|
1838
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1839
|
+
"EVP_DigestUpdate() failed");
|
|
1840
|
+
goto failed;
|
|
1841
|
+
}
|
|
1842
|
+
|
|
1843
|
+
list = SSL_CTX_get_client_CA_list(ssl->ctx);
|
|
1844
|
+
|
|
1845
|
+
if (list != NULL) {
|
|
1846
|
+
n = sk_X509_NAME_num(list);
|
|
1847
|
+
|
|
1848
|
+
for (i = 0; i < n; i++) {
|
|
1849
|
+
name = sk_X509_NAME_value(list, i);
|
|
1850
|
+
|
|
1851
|
+
if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) {
|
|
1852
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1853
|
+
"X509_NAME_digest() failed");
|
|
1854
|
+
goto failed;
|
|
1855
|
+
}
|
|
1856
|
+
|
|
1857
|
+
if (EVP_DigestUpdate(&md, buf, len) == 0) {
|
|
1858
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1859
|
+
"EVP_DigestUpdate() failed");
|
|
1860
|
+
goto failed;
|
|
1861
|
+
}
|
|
1862
|
+
}
|
|
1863
|
+
}
|
|
1864
|
+
|
|
1865
|
+
if (EVP_DigestFinal_ex(&md, buf, &len) == 0) {
|
|
1866
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1867
|
+
"EVP_DigestUpdate() failed");
|
|
1868
|
+
goto failed;
|
|
1869
|
+
}
|
|
1870
|
+
|
|
1871
|
+
EVP_MD_CTX_cleanup(&md);
|
|
1872
|
+
|
|
1873
|
+
if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
|
|
1874
|
+
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
|
1875
|
+
"SSL_CTX_set_session_id_context() failed");
|
|
1876
|
+
return NGX_ERROR;
|
|
1877
|
+
}
|
|
1878
|
+
|
|
1879
|
+
return NGX_OK;
|
|
1880
|
+
|
|
1881
|
+
failed:
|
|
1882
|
+
|
|
1883
|
+
EVP_MD_CTX_cleanup(&md);
|
|
1884
|
+
|
|
1885
|
+
return NGX_ERROR;
|
|
1886
|
+
}
|
|
1887
|
+
|
|
1888
|
+
|
|
1795
1889
|
ngx_int_t
|
|
1796
1890
|
ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
|
|
1797
1891
|
{
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: nginxtra
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.2.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Virata-Stone
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-09-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|