Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2016-02-03 10:19:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2015-07-03 01:20:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new/nginx.changes 2016-02-03 10:19:31.000000000 +0100 @@ -1,0 +2,57 @@ +Thu Jan 28 01:36:01 UTC 2016 - i...@marguerite.su + +- update version 1.8.1 stable + * Security: invalid pointer dereference might occur during DNS server + response processing if the "resolver" directive was used, allowing an + attacker who is able to forge UDP packets from the DNS server to + cause segmentation fault in a worker process (CVE-2016-0742). boo#963781 + * Security: use-after-free condition might occur during CNAME response + processing if the "resolver" directive was used, allowing an attacker + who is able to trigger name resolution to cause segmentation fault in + a worker process, or might have potential other impact + (CVE-2016-0746). boo#963778 + * Security: CNAME resolution was insufficiently limited if the + "resolver" directive was used, allowing an attacker who is able to + trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). boo#963775 + * Bugfix: the "proxy_protocol" parameter of the "listen" directive did + not work if not specified in the first "listen" directive for a + listen socket. + * Bugfix: nginx might fail to start on some old Linux variants; the bug + had appeared in 1.7.11. + * Bugfix: a segmentation fault might occur in a worker process if the + "try_files" and "alias" directives were used inside a location given + by a regular expression; the bug had appeared in 1.7.1. + * Bugfix: the "try_files" directive inside a nested location given by a + regular expression worked incorrectly if the "alias" directive was + used in the outer location. + * Bugfix: "header already sent" alerts might appear in logs when using + cache; the bug had appeared in 1.7.5. + * Bugfix: a segmentation fault might occur in a worker process if + different ssl_session_cache settings were used in different virtual + servers. + * Bugfix: the "expires" directive might not work when using variables. + * Bugfix: if nginx was built with the ngx_http_spdy_module it was + possible to use the SPDY protocol even if the "spdy" parameter of the + "listen" directive was not specified. + +------------------------------------------------------------------- +Fri Oct 16 15:17:30 UTC 2015 - mrueck...@suse.de + +- use libGeoIP-devel everywhere + +------------------------------------------------------------------- +Fri Oct 16 15:08:28 UTC 2015 - mrueck...@suse.de + +- replace custom "kill -QUIT" with the kill signal setting in + the service file + +------------------------------------------------------------------- +Fri Oct 16 15:01:17 UTC 2015 - mrueck...@suse.de + +- clean up conditionals and use bcond_with* everywhere +- drop passenger support for now + * drop nginx-1.8.0-passenger-4.0.18.patch + * drop nginx-1.4.2-passenger-4.0.18.patch + +------------------------------------------------------------------- Old: ---- nginx-1.4.2-passenger-4.0.18.patch nginx-1.8.0-passenger-4.0.18.patch nginx-1.8.0.tar.gz New: ---- nginx-1.8.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.JKEPd3/_old 2016-02-03 10:19:32.000000000 +0100 +++ /var/tmp/diff_new_pack.JKEPd3/_new 2016-02-03 10:19:32.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package nginx # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,28 @@ # +%bcond_with cpp_test +%bcond_with google_perftools +%bcond_without fancyindex + +%if 0%{?suse_version} != 1315 +%bcond_without libatomic +%else +%bcond_with libatomic +%endif + +%if 0%{?suse_version} > 1220 +%bcond_without http2 +%else +%bcond_with http2 +%endif + +%if 0%{?suse_version} >= 1210 +%bcond_without systemd +%else +%bcond_with systemd +%endif + %define pkg_name nginx %define ngx_prefix %{_prefix} %define ngx_sbin_path %{_sbindir}/nginx @@ -31,36 +53,19 @@ %define ngx_tmp_scgi %{ngx_home}/scgi/ %define ngx_tmp_uwsgi %{ngx_home}/uwsgi/ %define ngx_user_group nginx -%define with_cpp_test 0 -%define with_google_perftools 0 -%define with_fancyindex 1 -%define fancyindex_version 0.3.5 -%if 0%{?suse_version} <= 1310 -%define ngx_pid_path %{_localstatedir}/run/nginx.pid -%define ngx_lock_path %{_localstatedir}/run/nginx.lock -%else +# +%if %{with systemd} %define ngx_pid_path /run/nginx.pid %define ngx_lock_path /run/nginx.lock -%endif -%if 0%{?suse_version} != 1315 -%define with_libatomic 1 -%endif -%if 0%{?suse_version} >= 1220 -# passenger is required by webyast -%if 0%{?suse_version} > 1310 -%define with_passenger 0 %else -%define with_passenger 1 -%endif -%endif -%if 0%{?suse_version} >= 1210 -%define with_systemd 1 -BuildRequires: systemd -%{?systemd_requires} +%define ngx_pid_path %{_localstatedir}/run/nginx.pid +%define ngx_lock_path %{_localstatedir}/run/nginx.lock %endif +# Name: nginx -Version: 1.8.0 +Version: 1.8.1 Release: 0 +%define fancyindex_version 0.3.5 Summary: A HTTP server and IMAP/POP3 proxy server License: BSD-2-Clause Group: Productivity/Networking/Web/Proxy @@ -99,27 +104,20 @@ Provides: http_daemon Provides: httpd BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if 0%{?suse_version} == 1310 -Patch7: nginx-1.4.2-passenger-4.0.18.patch -Patch8: nginx-1.8.0-passenger-4.0.18.patch -%endif -%if 0%{?suse_version} <= 1310 -BuildRequires: GeoIP-devel -%else +# BuildRequires: libGeoIP-devel -%endif -%if 0%{?with_google_perftools} +# +%if %{with google_perftools} BuildRequires: google-perftools-devel %endif -%if 0%{?with_libatomic} +# +%if %{with libatomic} BuildRequires: libatomic-ops-devel %endif -%if 0%{?with_passenger} -BuildRequires: curl-devel -BuildRequires: ruby-devel -BuildRequires: rubygem-passenger -BuildRequires: rubygem-passenger-devel-static -Recommends: packageand(rubygem-passenger:rubygem-passenger-nginx) +# +%if %{with systemd} +BuildRequires: systemd +%{?systemd_requires} %endif %description @@ -127,7 +125,7 @@ It has been running on many heavily loaded Russian sites for more than two years. %prep -%if 0%{?with_fancyindex} +%if %{with fancyindex} %setup -q -n %{pkg_name}-%{version} -b4 %else %setup -q -n %{pkg_name}-%{version} @@ -141,26 +139,14 @@ perl -pi -e 's|\r\n|\n|g' contrib/geo2nginx.pl -%if 0%{?with_passenger} -cp -a %{_libdir}/ruby/gems/%{rb_ver}/gems/passenger-* passenger -%if 0%{?suse_version} < 1310 -if [[ -f "passenger/ext/common/libpassenger_common.a" ]] || \ - [[ -f "passenger/ext/common/libboost_oxt.a" ]]; then - rm -r passenger/ext/common/libboost_oxt* passenger/ext/common/libpassenger_common* -fi -%endif -%patch7 -%patch8 -%endif - -%if 0%{with_fancyindex} +%if %{with fancyindex} mkdir -p ngx-fancyindex-%{fancyindex_version} pushd ../ngx-fancyindex-%{fancyindex_version} cp -r template* LICENSE *.rst $RPM_BUILD_DIR/%{pkg_name}-%{version}/ngx-fancyindex-%{fancyindex_version}/ popd %endif -%if 0%{?suse_version} > 1310 +%if %{with systemd} sed -i "s/\/var\/run/\/run/" %{_sourcedir}/nginx.init %endif @@ -181,13 +167,13 @@ --user=nginx --group=nginx \ --without-select_module \ --without-poll_module \ - --with-file-aio \ --with-threads \ + --with-file-aio \ --with-ipv6 \ --with-http_ssl_module \ -%if 0%{?suse_version} > 1220 + %if %{with http2} --with-http_spdy_module \ -%endif + %endif --with-http_realip_module \ --with-http_addition_module \ --with-http_xslt_module \ @@ -209,19 +195,16 @@ --with-mail \ --with-mail_ssl_module \ --with-pcre \ - %if 0%{?with_libatomic} + %if %{with libatomic} --with-libatomic \ %endif - %if 0%{?with_passenger} - --add-module=passenger/ext/nginx \ - %endif - %if 0%{?with_google_perftools} + %if %{with google_perftools} --with-google_perftools_module \ %endif - %if 0%{?with_cpp_test} + %if %{with cpp_test} --with-cpp_test_module \ %endif - %if 0%{with_fancyindex} + %if %{with fancyindex} --add-module=../ngx-fancyindex-%{fancyindex_version} \ %endif --with-md5=%{_prefix} \ @@ -242,7 +225,7 @@ install -D -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/%{pkg_name} -%if 0%{?with_systemd} +%if %{with systemd} install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/nginx.service ln -s -f %{_sbindir}/service %{buildroot}%{_sbindir}/rcnginx %else @@ -253,21 +236,21 @@ rm %{buildroot}/srv/www/htdocs/index.html %post -%if 0%{?with_systemd} +%if %{with systemd} %service_add_post nginx.service %else %fillup_and_insserv %{pkg_name} %endif %preun -%if 0%{?with_systemd} +%if %{with systemd} %service_del_preun nginx.service %else %stop_on_removal %{pkg_name} %endif %postun -%if 0%{?with_systemd} +%if %{with systemd} %service_del_postun nginx.service %else %restart_on_update %{pkg_name} @@ -278,7 +261,7 @@ %{_sbindir}/groupadd -r %{ngx_user_group} &>/dev/null ||: %{_sbindir}/useradd -g %{ngx_user_group} -s /bin/false -r -c "user for %{ngx_user_group}" -d %{ngx_home} %{ngx_user_group} &>/dev/null ||: -%if 0%{?with_systemd} +%if %{with systemd} %service_add_pre nginx.service %endif @@ -319,10 +302,10 @@ %dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_uwsgi} %doc CHANGES* %doc conf/ contrib/ -%if 0%{with_fancyindex} +%if %{with fancyindex} %doc ngx-fancyindex-%{fancyindex_version}/ %endif -%if 0%{?with_systemd} +%if %{with systemd} %{_unitdir}/nginx.service %else %{_sysconfdir}/init.d/%{pkg_name} ++++++ nginx-1.8.0.tar.gz -> nginx-1.8.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/CHANGES new/nginx-1.8.1/CHANGES --- old/nginx-1.8.0/CHANGES 2015-04-21 16:12:06.000000000 +0200 +++ new/nginx-1.8.1/CHANGES 2016-01-26 15:39:38.000000000 +0100 @@ -1,4 +1,51 @@ +Changes with nginx 1.8.1 26 Jan 2016 + + *) Security: invalid pointer dereference might occur during DNS server + response processing if the "resolver" directive was used, allowing an + attacker who is able to forge UDP packets from the DNS server to + cause segmentation fault in a worker process (CVE-2016-0742). + + *) Security: use-after-free condition might occur during CNAME response + processing if the "resolver" directive was used, allowing an attacker + who is able to trigger name resolution to cause segmentation fault in + a worker process, or might have potential other impact + (CVE-2016-0746). + + *) Security: CNAME resolution was insufficiently limited if the + "resolver" directive was used, allowing an attacker who is able to + trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). + + *) Bugfix: the "proxy_protocol" parameter of the "listen" directive did + not work if not specified in the first "listen" directive for a + listen socket. + + *) Bugfix: nginx might fail to start on some old Linux variants; the bug + had appeared in 1.7.11. + + *) Bugfix: a segmentation fault might occur in a worker process if the + "try_files" and "alias" directives were used inside a location given + by a regular expression; the bug had appeared in 1.7.1. + + *) Bugfix: the "try_files" directive inside a nested location given by a + regular expression worked incorrectly if the "alias" directive was + used in the outer location. + + *) Bugfix: "header already sent" alerts might appear in logs when using + cache; the bug had appeared in 1.7.5. + + *) Bugfix: a segmentation fault might occur in a worker process if + different ssl_session_cache settings were used in different virtual + servers. + + *) Bugfix: the "expires" directive might not work when using variables. + + *) Bugfix: if nginx was built with the ngx_http_spdy_module it was + possible to use the SPDY protocol even if the "spdy" parameter of the + "listen" directive was not specified. + + Changes with nginx 1.8.0 21 Apr 2015 *) 1.8.x stable branch. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/CHANGES.ru new/nginx-1.8.1/CHANGES.ru --- old/nginx-1.8.0/CHANGES.ru 2015-04-21 16:12:04.000000000 +0200 +++ new/nginx-1.8.1/CHANGES.ru 2016-01-26 15:39:36.000000000 +0100 @@ -1,4 +1,56 @@ +Изменения в nginx 1.8.1 26.01.2016 + + *) Безопасность: при использовании директивы resolver во время обработки + ответов DNS-сервера могло происходить разыменование некорректного + адреса, что позволяло атакующему, имеющему возможность подделывать + UDP-пакеты от DNS-сервера, вызвать segmentation fault в рабочем + процессе (CVE-2016-0742). + + *) Безопасность: при использовании директивы resolver во время обработки + CNAME-записей могло произойти обращение к ранее освобождённой памяти, + что позволяло атакующему, имеющему возможность инициировать + преобразование произвольных имён в адреса, вызвать segmentation fault + в рабочем процессе, а также потенциально могло иметь другие + последствия (CVE-2016-0746). + + *) Безопасность: при использовании директивы resolver во время обработки + CNAME-записей не во всех случаях проверялось ограничение на + максимальное количество записей в цепочке, что позволяло атакующему, + имеющему возможность инициировать преобразование произвольных имён в + адреса, вызвать чрезмерное потребление ресурсов рабочими процессами + (CVE-2016-0747). + + *) Исправление: параметр proxy_protocol директивы listen не работал, + если не был указан в первой директиве listen для данного + listen-сокета. + + *) Исправление: nginx мог не запускаться на некоторых старых версиях + Linux; ошибка появилась в 1.7.11. + + *) Исправление: при совместном использовании директив try_files и alias + внутри location'а, заданного регулярным выражением, в рабочем + процессе мог произойти segmentation fault; ошибка появилась в 1.7.1. + + *) Исправление: директива try_files внутри вложенного location'а, + заданного регулярным выражением, работала неправильно, если во + внешнем location'е использовалась директива alias. + + *) Исправление: при использовании кэша в логах могли появляться + сообщения "header already sent"; ошибка появилась в 1.7.5. + + *) Исправление: при использовании различных настроек ssl_session_cache в + разных виртуальных серверах в рабочем процессе мог произойти + segmentation fault. + + *) Исправление: директива expires могла не срабатывать при использовании + переменных. + + *) Исправление: если nginx был собран с модулем ngx_http_spdy_module, + протокол SPDY мог быть использован клиентом, даже если не был указан + параметр spdy директивы listen. + + Изменения в nginx 1.8.0 21.04.2015 *) Стабильная ветка 1.8.x. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/core/nginx.h new/nginx-1.8.1/src/core/nginx.h --- old/nginx-1.8.0/src/core/nginx.h 2015-04-21 16:11:59.000000000 +0200 +++ new/nginx-1.8.1/src/core/nginx.h 2016-01-26 15:39:31.000000000 +0100 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1008000 -#define NGINX_VERSION "1.8.0" +#define nginx_version 1008001 +#define NGINX_VERSION "1.8.1" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/core/ngx_parse.c new/nginx-1.8.1/src/core/ngx_parse.c --- old/nginx-1.8.0/src/core/ngx_parse.c 2015-04-21 16:11:59.000000000 +0200 +++ new/nginx-1.8.1/src/core/ngx_parse.c 2016-01-26 15:39:32.000000000 +0100 @@ -188,7 +188,7 @@ break; case 'm': - if (*p == 's') { + if (p < last && *p == 's') { if (is_sec || step >= st_msec) { return NGX_ERROR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/core/ngx_resolver.c new/nginx-1.8.1/src/core/ngx_resolver.c --- old/nginx-1.8.0/src/core/ngx_resolver.c 2015-04-21 16:11:59.000000000 +0200 +++ new/nginx-1.8.1/src/core/ngx_resolver.c 2016-01-26 15:39:32.000000000 +0100 @@ -59,15 +59,15 @@ static void ngx_resolver_cleanup(void *data); static void ngx_resolver_cleanup_tree(ngx_resolver_t *r, ngx_rbtree_t *tree); static ngx_int_t ngx_resolve_name_locked(ngx_resolver_t *r, - ngx_resolver_ctx_t *ctx); + ngx_resolver_ctx_t *ctx, ngx_str_t *name); static void ngx_resolver_expire(ngx_resolver_t *r, ngx_rbtree_t *tree, ngx_queue_t *queue); static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r, ngx_resolver_node_t *rn); -static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_node_t *rn, - ngx_resolver_ctx_t *ctx); -static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, - ngx_resolver_ctx_t *ctx); +static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_t *r, + ngx_resolver_node_t *rn, ngx_str_t *name); +static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_t *r, + ngx_resolver_node_t *rn, ngx_addr_t *addr); static void ngx_resolver_resend_handler(ngx_event_t *ev); static time_t ngx_resolver_resend(ngx_resolver_t *r, ngx_rbtree_t *tree, ngx_queue_t *queue); @@ -375,7 +375,7 @@ /* lock name mutex */ - rc = ngx_resolve_name_locked(r, ctx); + rc = ngx_resolve_name_locked(r, ctx, &ctx->name); if (rc == NGX_OK) { return NGX_OK; @@ -402,7 +402,6 @@ void ngx_resolve_name_done(ngx_resolver_ctx_t *ctx) { - uint32_t hash; ngx_resolver_t *r; ngx_resolver_ctx_t *w, **p; ngx_resolver_node_t *rn; @@ -422,11 +421,9 @@ /* lock name mutex */ - if (ctx->state == NGX_AGAIN) { - - hash = ngx_crc32_short(ctx->name.data, ctx->name.len); + if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) { - rn = ngx_resolver_lookup_name(r, &ctx->name, hash); + rn = ctx->node; if (rn) { p = &rn->waiting; @@ -467,23 +464,28 @@ static ngx_int_t -ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx) +ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx, + ngx_str_t *name) { uint32_t hash; ngx_int_t rc; + ngx_str_t cname; ngx_uint_t naddrs; ngx_addr_t *addrs; - ngx_resolver_ctx_t *next; + ngx_resolver_ctx_t *next, *last; ngx_resolver_node_t *rn; - ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len); + ngx_strlow(name->data, name->data, name->len); - hash = ngx_crc32_short(ctx->name.data, ctx->name.len); + hash = ngx_crc32_short(name->data, name->len); - rn = ngx_resolver_lookup_name(r, &ctx->name, hash); + rn = ngx_resolver_lookup_name(r, name, hash); if (rn) { + /* ctx can be a list after NGX_RESOLVE_CNAME */ + for (last = ctx; last->next; last = last->next); + if (rn->valid >= ngx_time()) { ngx_log_debug0(NGX_LOG_DEBUG_CORE, r->log, 0, "resolve cached"); @@ -511,7 +513,7 @@ } } - ctx->next = rn->waiting; + last->next = rn->waiting; rn->waiting = NULL; /* unlock name mutex */ @@ -551,13 +553,13 @@ if (ctx->recursion++ < NGX_RESOLVER_MAX_RECURSION) { - ctx->name.len = rn->cnlen; - ctx->name.data = rn->u.cname; + cname.len = rn->cnlen; + cname.data = rn->u.cname; - return ngx_resolve_name_locked(r, ctx); + return ngx_resolve_name_locked(r, ctx, &cname); } - ctx->next = rn->waiting; + last->next = rn->waiting; rn->waiting = NULL; /* unlock name mutex */ @@ -576,10 +578,29 @@ if (rn->waiting) { - ctx->next = rn->waiting; + if (ctx->event == NULL) { + ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t)); + if (ctx->event == NULL) { + return NGX_ERROR; + } + + ctx->event->handler = ngx_resolver_timeout_handler; + ctx->event->data = ctx; + ctx->event->log = r->log; + ctx->ident = -1; + + ngx_add_timer(ctx->event, ctx->timeout); + } + + last->next = rn->waiting; rn->waiting = ctx; ctx->state = NGX_AGAIN; + do { + ctx->node = rn; + ctx = ctx->next; + } while (ctx); + return NGX_AGAIN; } @@ -618,14 +639,14 @@ return NGX_ERROR; } - rn->name = ngx_resolver_dup(r, ctx->name.data, ctx->name.len); + rn->name = ngx_resolver_dup(r, name->data, name->len); if (rn->name == NULL) { ngx_resolver_free(r, rn); return NGX_ERROR; } rn->node.key = hash; - rn->nlen = (u_short) ctx->name.len; + rn->nlen = (u_short) name->len; rn->query = NULL; #if (NGX_HAVE_INET6) rn->query6 = NULL; @@ -634,7 +655,7 @@ ngx_rbtree_insert(&r->name_rbtree, &rn->node); } - rc = ngx_resolver_create_name_query(rn, ctx); + rc = ngx_resolver_create_name_query(r, rn, name); if (rc == NGX_ERROR) { goto failed; @@ -647,8 +668,14 @@ ngx_resolver_free(r, rn->name); ngx_resolver_free(r, rn); - ctx->state = NGX_RESOLVE_NXDOMAIN; - ctx->handler(ctx); + do { + ctx->state = NGX_RESOLVE_NXDOMAIN; + next = ctx->next; + + ctx->handler(ctx); + + ctx = next; + } while (ctx); return NGX_OK; } @@ -669,9 +696,9 @@ } ctx->event->handler = ngx_resolver_timeout_handler; - ctx->event->data = rn; + ctx->event->data = ctx; ctx->event->log = r->log; - rn->ident = -1; + ctx->ident = -1; ngx_add_timer(ctx->event, ctx->timeout); } @@ -692,6 +719,11 @@ ctx->state = NGX_AGAIN; + do { + ctx->node = rn; + ctx = ctx->next; + } while (ctx); + return NGX_AGAIN; failed: @@ -799,9 +831,22 @@ if (rn->waiting) { + ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t)); + if (ctx->event == NULL) { + return NGX_ERROR; + } + + ctx->event->handler = ngx_resolver_timeout_handler; + ctx->event->data = ctx; + ctx->event->log = r->log; + ctx->ident = -1; + + ngx_add_timer(ctx->event, ctx->timeout); + ctx->next = rn->waiting; rn->waiting = ctx; ctx->state = NGX_AGAIN; + ctx->node = rn; /* unlock addr mutex */ @@ -843,7 +888,7 @@ ngx_rbtree_insert(tree, &rn->node); } - if (ngx_resolver_create_addr_query(rn, ctx) != NGX_OK) { + if (ngx_resolver_create_addr_query(r, rn, &ctx->addr) != NGX_OK) { goto failed; } @@ -862,9 +907,9 @@ } ctx->event->handler = ngx_resolver_timeout_handler; - ctx->event->data = rn; + ctx->event->data = ctx; ctx->event->log = r->log; - rn->ident = -1; + ctx->ident = -1; ngx_add_timer(ctx->event, ctx->timeout); @@ -887,6 +932,7 @@ /* unlock addr mutex */ ctx->state = NGX_AGAIN; + ctx->node = rn; return NGX_OK; @@ -917,17 +963,11 @@ void ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx) { - in_addr_t addr; ngx_queue_t *expire_queue; ngx_rbtree_t *tree; ngx_resolver_t *r; ngx_resolver_ctx_t *w, **p; - struct sockaddr_in *sin; ngx_resolver_node_t *rn; -#if (NGX_HAVE_INET6) - uint32_t hash; - struct sockaddr_in6 *sin6; -#endif r = ctx->resolver; @@ -954,23 +994,9 @@ /* lock addr mutex */ - if (ctx->state == NGX_AGAIN) { - - switch (ctx->addr.sockaddr->sa_family) { - -#if (NGX_HAVE_INET6) - case AF_INET6: - sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr; - hash = ngx_crc32_short(sin6->sin6_addr.s6_addr, 16); - rn = ngx_resolver_lookup_addr6(r, &sin6->sin6_addr, hash); - break; -#endif + if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) { - default: /* AF_INET */ - sin = (struct sockaddr_in *) ctx->addr.sockaddr; - addr = ntohl(sin->sin_addr.s_addr); - rn = ngx_resolver_lookup_addr(r, addr); - } + rn = ctx->node; if (rn) { p = &rn->waiting; @@ -1292,7 +1318,7 @@ times = 0; for (q = ngx_queue_head(&r->name_resend_queue); - q != ngx_queue_sentinel(&r->name_resend_queue) || times++ < 100; + q != ngx_queue_sentinel(&r->name_resend_queue) && times++ < 100; q = ngx_queue_next(q)) { rn = ngx_queue_data(q, ngx_resolver_node_t, queue); @@ -1955,20 +1981,39 @@ ngx_queue_insert_head(&r->name_expire_queue, &rn->queue); + ngx_resolver_free(r, rn->query); + rn->query = NULL; +#if (NGX_HAVE_INET6) + rn->query6 = NULL; +#endif + ctx = rn->waiting; rn->waiting = NULL; if (ctx) { - ctx->name = name; - (void) ngx_resolve_name_locked(r, ctx); - } + if (ctx->recursion++ >= NGX_RESOLVER_MAX_RECURSION) { - ngx_resolver_free(r, rn->query); - rn->query = NULL; -#if (NGX_HAVE_INET6) - rn->query6 = NULL; -#endif + /* unlock name mutex */ + + do { + ctx->state = NGX_RESOLVE_NXDOMAIN; + next = ctx->next; + + ctx->handler(ctx); + + ctx = next; + } while (ctx); + + return; + } + + for (next = ctx; next; next = next->next) { + next->node = NULL; + } + + (void) ngx_resolve_name_locked(r, ctx, &name); + } /* unlock name mutex */ @@ -2476,27 +2521,23 @@ static ngx_int_t -ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx) +ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn, + ngx_str_t *name) { u_char *p, *s; size_t len, nlen; ngx_uint_t ident; -#if (NGX_HAVE_INET6) - ngx_resolver_t *r; -#endif ngx_resolver_qs_t *qs; ngx_resolver_hdr_t *query; - nlen = ctx->name.len ? (1 + ctx->name.len + 1) : 1; + nlen = name->len ? (1 + name->len + 1) : 1; len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t); #if (NGX_HAVE_INET6) - r = ctx->resolver; - - p = ngx_resolver_alloc(ctx->resolver, r->ipv6 ? len * 2 : len); + p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len); #else - p = ngx_resolver_alloc(ctx->resolver, len); + p = ngx_resolver_alloc(r, len); #endif if (p == NULL) { return NGX_ERROR; @@ -2515,8 +2556,8 @@ ident = ngx_random(); - ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0, - "resolve: \"%V\" A %i", &ctx->name, ident & 0xffff); + ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, + "resolve: \"%V\" A %i", name, ident & 0xffff); query->ident_hi = (u_char) ((ident >> 8) & 0xff); query->ident_lo = (u_char) (ident & 0xff); @@ -2546,11 +2587,11 @@ p--; *p-- = '\0'; - if (ctx->name.len == 0) { + if (name->len == 0) { return NGX_DECLINED; } - for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) { + for (s = name->data + name->len - 1; s >= name->data; s--) { if (*s != '.') { *p = *s; len++; @@ -2586,8 +2627,8 @@ ident = ngx_random(); - ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0, - "resolve: \"%V\" AAAA %i", &ctx->name, ident & 0xffff); + ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, + "resolve: \"%V\" AAAA %i", name, ident & 0xffff); query->ident_hi = (u_char) ((ident >> 8) & 0xff); query->ident_lo = (u_char) (ident & 0xff); @@ -2604,11 +2645,12 @@ static ngx_int_t -ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx) +ngx_resolver_create_addr_query(ngx_resolver_t *r, ngx_resolver_node_t *rn, + ngx_addr_t *addr) { u_char *p, *d; size_t len; - in_addr_t addr; + in_addr_t inaddr; ngx_int_t n; ngx_uint_t ident; ngx_resolver_hdr_t *query; @@ -2617,7 +2659,7 @@ struct sockaddr_in6 *sin6; #endif - switch (ctx->addr.sockaddr->sa_family) { + switch (addr->sockaddr->sa_family) { #if (NGX_HAVE_INET6) case AF_INET6: @@ -2634,7 +2676,7 @@ + sizeof(ngx_resolver_qs_t); } - p = ngx_resolver_alloc(ctx->resolver, len); + p = ngx_resolver_alloc(r, len); if (p == NULL) { return NGX_ERROR; } @@ -2658,11 +2700,11 @@ p += sizeof(ngx_resolver_hdr_t); - switch (ctx->addr.sockaddr->sa_family) { + switch (addr->sockaddr->sa_family) { #if (NGX_HAVE_INET6) case AF_INET6: - sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr; + sin6 = (struct sockaddr_in6 *) addr->sockaddr; for (n = 15; n >= 0; n--) { p = ngx_sprintf(p, "\1%xd\1%xd", @@ -2677,11 +2719,11 @@ default: /* AF_INET */ - sin = (struct sockaddr_in *) ctx->addr.sockaddr; - addr = ntohl(sin->sin_addr.s_addr); + sin = (struct sockaddr_in *) addr->sockaddr; + inaddr = ntohl(sin->sin_addr.s_addr); for (n = 0; n < 32; n += 8) { - d = ngx_sprintf(&p[1], "%ud", (addr >> n) & 0xff); + d = ngx_sprintf(&p[1], "%ud", (inaddr >> n) & 0xff); *p = (u_char) (d - &p[1]); p = d; } @@ -2795,21 +2837,13 @@ static void ngx_resolver_timeout_handler(ngx_event_t *ev) { - ngx_resolver_ctx_t *ctx, *next; - ngx_resolver_node_t *rn; + ngx_resolver_ctx_t *ctx; - rn = ev->data; - ctx = rn->waiting; - rn->waiting = NULL; + ctx = ev->data; - do { - ctx->state = NGX_RESOLVE_TIMEDOUT; - next = ctx->next; - - ctx->handler(ctx); + ctx->state = NGX_RESOLVE_TIMEDOUT; - ctx = next; - } while (ctx); + ctx->handler(ctx); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/core/ngx_resolver.h new/nginx-1.8.1/src/core/ngx_resolver.h --- old/nginx-1.8.0/src/core/ngx_resolver.h 2015-04-21 16:11:59.000000000 +0200 +++ new/nginx-1.8.1/src/core/ngx_resolver.h 2016-01-26 15:39:32.000000000 +0100 @@ -51,15 +51,11 @@ typedef struct { - /* PTR: resolved name, A: name to resolve */ - u_char *name; - + ngx_rbtree_node_t node; ngx_queue_t queue; - /* event ident must be after 3 pointers as in ngx_connection_t */ - ngx_int_t ident; - - ngx_rbtree_node_t node; + /* PTR: resolved name, A: name to resolve */ + u_char *name; #if (NGX_HAVE_INET6) /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ @@ -147,6 +143,9 @@ ngx_resolver_t *resolver; ngx_udp_connection_t *udp_connection; + /* event ident must be after 3 pointers as in ngx_connection_t */ + ngx_int_t ident; + ngx_int_t state; ngx_str_t name; @@ -162,6 +161,8 @@ ngx_uint_t quick; /* unsigned quick:1; */ ngx_uint_t recursion; ngx_event_t *event; + + ngx_resolver_node_t *node; }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/event/modules/ngx_epoll_module.c new/nginx-1.8.1/src/event/modules/ngx_epoll_module.c --- old/nginx-1.8.0/src/event/modules/ngx_epoll_module.c 2015-04-21 16:12:00.000000000 +0200 +++ new/nginx-1.8.1/src/event/modules/ngx_epoll_module.c 2016-01-26 15:39:32.000000000 +0100 @@ -329,7 +329,7 @@ #if (NGX_HAVE_EVENTFD) if (ngx_epoll_notify_init(cycle->log) != NGX_OK) { - return NGX_ERROR; + ngx_epoll_module_ctx.actions.notify = NULL; } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/event/ngx_event_openssl.c new/nginx-1.8.1/src/event/ngx_event_openssl.c --- old/nginx-1.8.0/src/event/ngx_event_openssl.c 2015-04-21 16:12:00.000000000 +0200 +++ new/nginx-1.8.1/src/event/ngx_event_openssl.c 2016-01-26 15:39:32.000000000 +0100 @@ -1038,6 +1038,8 @@ sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); sc->buffer_size = ssl->buffer_size; + sc->session_ctx = ssl->ctx; + sc->connection = SSL_new(ssl->ctx); if (sc->connection == NULL) { @@ -2303,7 +2305,7 @@ c = ngx_ssl_get_connection(ssl_conn); - ssl_ctx = SSL_get_SSL_CTX(ssl_conn); + ssl_ctx = c->ssl->session_ctx; shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); cache = shm_zone->data; @@ -2441,21 +2443,17 @@ ngx_ssl_sess_id_t *sess_id; ngx_ssl_session_cache_t *cache; u_char buf[NGX_SSL_MAX_SESSION_SIZE]; -#if (NGX_DEBUG) ngx_connection_t *c; -#endif hash = ngx_crc32_short(id, (size_t) len); *copy = 0; -#if (NGX_DEBUG) c = ngx_ssl_get_connection(ssl_conn); ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "ssl get session: %08XD:%d", hash, len); -#endif - shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), + shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, ngx_ssl_session_cache_index); cache = shm_zone->data; @@ -2834,13 +2832,14 @@ SSL_CTX *ssl_ctx; ngx_uint_t i; ngx_array_t *keys; + ngx_connection_t *c; ngx_ssl_session_ticket_key_t *key; #if (NGX_DEBUG) u_char buf[32]; - ngx_connection_t *c; #endif - ssl_ctx = SSL_get_SSL_CTX(ssl_conn); + c = ngx_ssl_get_connection(ssl_conn); + ssl_ctx = c->ssl->session_ctx; keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); if (keys == NULL) { @@ -2849,10 +2848,6 @@ key = keys->elts; -#if (NGX_DEBUG) - c = ngx_ssl_get_connection(ssl_conn); -#endif - if (enc == 1) { /* encrypt session ticket */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/event/ngx_event_openssl.h new/nginx-1.8.1/src/event/ngx_event_openssl.h --- old/nginx-1.8.0/src/event/ngx_event_openssl.h 2015-04-21 16:12:00.000000000 +0200 +++ new/nginx-1.8.1/src/event/ngx_event_openssl.h 2016-01-26 15:39:32.000000000 +0100 @@ -46,6 +46,7 @@ typedef struct { ngx_ssl_conn_t *connection; + SSL_CTX *session_ctx; ngx_int_t last; ngx_buf_t *buf; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/http/ngx_http.c new/nginx-1.8.1/src/http/ngx_http.c --- old/nginx-1.8.0/src/http/ngx_http.c 2015-04-21 16:12:00.000000000 +0200 +++ new/nginx-1.8.1/src/http/ngx_http.c 2016-01-26 15:39:32.000000000 +0100 @@ -1220,7 +1220,7 @@ { u_char *p; size_t len, off; - ngx_uint_t i, default_server; + ngx_uint_t i, default_server, proxy_protocol; struct sockaddr *sa; ngx_http_conf_addr_t *addr; #if (NGX_HAVE_UNIX_DOMAIN) @@ -1281,6 +1281,8 @@ /* preserve default_server bit during listen options overwriting */ default_server = addr[i].opt.default_server; + proxy_protocol = lsopt->proxy_protocol || addr[i].opt.proxy_protocol; + #if (NGX_HTTP_SSL) ssl = lsopt->ssl || addr[i].opt.ssl; #endif @@ -1314,6 +1316,7 @@ } addr[i].opt.default_server = default_server; + addr[i].opt.proxy_protocol = proxy_protocol; #if (NGX_HTTP_SSL) addr[i].opt.ssl = ssl; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/http/ngx_http_core_module.c new/nginx-1.8.1/src/http/ngx_http_core_module.c --- old/nginx-1.8.0/src/http/ngx_http_core_module.c 2015-04-21 16:12:00.000000000 +0200 +++ new/nginx-1.8.1/src/http/ngx_http_core_module.c 2016-01-26 15:39:32.000000000 +0100 @@ -1272,7 +1272,9 @@ *e.pos = '\0'; - if (alias && ngx_strncmp(name, clcf->name.data, alias) == 0) { + if (alias && alias != NGX_MAX_SIZE_T_VALUE + && ngx_strncmp(name, r->uri.data, alias) == 0) + { ngx_memmove(name, name + alias, len - alias); path.len -= alias; } @@ -1355,6 +1357,8 @@ } } else { + name = r->uri.data; + r->uri.len = alias + path.len; r->uri.data = ngx_pnalloc(r->pool, r->uri.len); if (r->uri.data == NULL) { @@ -1362,8 +1366,8 @@ return NGX_OK; } - p = ngx_copy(r->uri.data, clcf->name.data, alias); - ngx_memcpy(p, name, path.len); + p = ngx_copy(r->uri.data, name, alias); + ngx_memcpy(p, path.data, path.len); } ngx_http_set_exten(r); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/http/ngx_http_request.c new/nginx-1.8.1/src/http/ngx_http_request.c --- old/nginx-1.8.0/src/http/ngx_http_request.c 2015-04-21 16:12:01.000000000 +0200 +++ new/nginx-1.8.1/src/http/ngx_http_request.c 2016-01-26 15:39:33.000000000 +0100 @@ -770,24 +770,32 @@ { unsigned int len; const unsigned char *data; + ngx_http_connection_t *hc; static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED); + hc = c->data; + + if (hc->addr_conf->spdy) { + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - SSL_get0_alpn_selected(c->ssl->connection, &data, &len); + SSL_get0_alpn_selected(c->ssl->connection, &data, &len); #ifdef TLSEXT_TYPE_next_proto_neg - if (len == 0) { - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); - } + if (len == 0) { + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + } #endif #else /* TLSEXT_TYPE_next_proto_neg */ - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); #endif - if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) { - ngx_http_spdy_init(c->read); - return; + if (len == spdy.len + && ngx_strncmp(data, spdy.data, spdy.len) == 0) + { + ngx_http_spdy_init(c->read); + return; + } } } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.8.0/src/http/ngx_http_upstream.c new/nginx-1.8.1/src/http/ngx_http_upstream.c --- old/nginx-1.8.0/src/http/ngx_http_upstream.c 2015-04-21 16:12:01.000000000 +0200 +++ new/nginx-1.8.1/src/http/ngx_http_upstream.c 2016-01-26 15:39:33.000000000 +0100 @@ -530,15 +530,24 @@ r->write_event_handler = ngx_http_request_empty_handler; - if (rc == NGX_DONE) { - return; - } - if (rc == NGX_ERROR) { ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return; } + if (rc == NGX_OK) { + rc = ngx_http_upstream_cache_send(r, u); + + if (rc == NGX_DONE) { + return; + } + + if (rc == NGX_HTTP_UPSTREAM_INVALID_HEADER) { + rc = NGX_DECLINED; + r->cached = 0; + } + } + if (rc != NGX_DECLINED) { ngx_http_finalize_request(r, rc); return; @@ -833,13 +842,7 @@ case NGX_OK: - rc = ngx_http_upstream_cache_send(r, u); - - if (rc != NGX_HTTP_UPSTREAM_INVALID_HEADER) { - return rc; - } - - break; + return NGX_OK; case NGX_HTTP_CACHE_STALE: ++++++ nginx.service ++++++ --- /var/tmp/diff_new_pack.JKEPd3/_old 2016-02-03 10:19:32.000000000 +0100 +++ /var/tmp/diff_new_pack.JKEPd3/_new 2016-02-03 10:19:32.000000000 +0100 @@ -3,11 +3,14 @@ After=network.target remote-fs.target nss-lookup.target [Service] +PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx -g "daemon off;" ExecReload=/bin/kill -s HUP $MAINPID -ExecStop=/bin/kill -s QUIT $MAINPID +KillSignal=SIGQUIT +TimeoutStopSec=5 +KillMode=mixed PrivateTmp=true [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target