全球主机交流论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

CeraNetworks网络延迟测速工具IP归属甄别会员请立即修改密码
查看: 5443|回复: 29

nginx记得打补丁

[复制链接]
发表于 2009-10-17 16:03:29 | 显示全部楼层 |阅读模式
A patch to fix VU#180065 vulnerability in 0.1.0-0.8.14.
The patch is not required for versions 0.8.16+, 0.7.62+, 0.6.39+, 0.5.38+.
发表于 2009-10-17 16:11:48 | 显示全部楼层
我这是0.7.61的`
发表于 2009-10-17 16:20:51 | 显示全部楼层
下载地址呢?
发表于 2009-10-17 16:59:46 | 显示全部楼层
涉及安全问题吗?不是的话就不打了
发表于 2009-10-17 17:43:52 | 显示全部楼层

回复 1# 的帖子

The patch is not required for versions 0.8.16+, 0.7.62+, 0.6.39+, 0.5.38+.

是具体什么问题?

影响好广,难道要我去升级到 0.8.20?
发表于 2009-10-17 17:47:21 | 显示全部楼层
须更新吗?

10/14 最新版 nginx-0.8.20,下载地址
http://nginx.net/
发表于 2009-10-17 17:47:31 | 显示全部楼层
晕,什么问题,我也得升级
发表于 2009-10-17 17:49:43 | 显示全部楼层
晕,貌似是安全漏洞
发表于 2009-10-17 17:51:41 | 显示全部楼层
经常除错更新


Changes with nginx 0.8.20                                        14 Oct 2009

    *) Change: now default SSL ciphers are "HIGH:!ADH:!MD5".

    *) Bugfix: the ngx_http_autoindex_module did not show the trailing
       slash in links to a directory; the bug had appeared in 0.7.15.

    *) Bugfix: nginx did not close a log file set by the --error-log-path
       configuration option; the bug had appeared in 0.7.53.

    *) Bugfix: nginx did not treat a comma as separator in the
       "Cache-Control" backend response header line.

    *) Bugfix: nginx/Windows might not create temporary file, a cache file,
       or "proxy/fastcgi_store"d file if a worker has no enough access
       rights for top level directories.

    *) Bugfix: the "Set-Cookie" and "3P" FastCGI response header lines
       were not hidden while caching if no "fastcgi_hide_header" directives
       were used with any parameters.

    *) Bugfix: nginx counted incorrectly disk cache size.


Changes with nginx 0.8.19                                        06 Oct 2009

    *) Change: now SSLv2 protocol is disabled by default.

    *) Change: now default SSL ciphers are "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM".

    *) Bugfix: a "limit_req" directive did not work; the bug had appeared
       in 0.8.18.


Changes with nginx 0.8.18                                        06 Oct 2009

    *) Feature: the "read_ahead" directive.

    *) Feature: now several "perl_modules" directives may be used.

    *) Feature: the "limit_req_log_level" and "limit_conn_log_level"
       directives.

    *) Bugfix: now "limit_req" directive conforms to the leaky bucket
       algorithm.
       Thanks to Maxim Dounin.

    *) Bugfix: nginx did not work on Linux/sparc.
       Thanks to Marcus Ramberg.

    *) Bugfix: nginx sent '\0' in a "Location" response header line on
       MKCOL request.
       Thanks to Xie Zhenye.

    *) Bugfix: zero status code was logged instead of 499 status code; the
       bug had appeared in 0.8.11.

    *) Bugfix: socket leak; the bug had appeared in 0.8.11.


Changes with nginx 0.8.17                                        28 Sep 2009

    *) Security: now "/../" are disabled in "Destination" request header
       line.

    *) Change: now $host variable value is always low case.

    *) Feature: the $ssl_session_id variable.

    *) Bugfix: socket leak; the bug had appeared in 0.8.11.


Changes with nginx 0.8.16                                        22 Sep 2009

    *) Feature: the "image_filter_transparency" directive.

    *) Bugfix: "addition_types" directive was incorrectly named
       "addtion_types".

    *) Bugfix: resolver cache poisoning.
       Thanks to Matthew Dempsky.

    *) Bugfix: memory leak in resolver.
       Thanks to Matthew Dempsky.

    *) Bugfix: invalid request line in $request variable was written in
       access_log only if error_log was set to "info" or "debug" level.

    *) Bugfix: in PNG alpha-channel support in the
       ngx_http_image_filter_module.

    *) Bugfix: nginx always added "Vary: Accept-Encoding" response header
       line, if both "gzip_static" and "gzip_vary" were on.

    *) Bugfix: in UTF-8 encoding support by "try_files" directive in
       nginx/Windows.

    *) Bugfix: in "post_action" directive usage; the bug had appeared in
       0.8.11.
       Thanks to Igor Artemiev.


Changes with nginx 0.8.15                                        14 Sep 2009

    *) Security: a segmentation fault might occur in worker process while
       specially crafted request handling.
       Thanks to Chris Ries.

    *) Bugfix: if names .domain.tld, .sub.domain.tld, and .domain-some.tld
       were defined, then the name .sub.domain.tld was matched by
       .domain.tld.

    *) Bugfix: in transparency support in the ngx_http_image_filter_module.

    *) Bugfix: in file AIO.

    *) Bugfix: in X-Accel-Redirect usage; the bug had appeared in 0.8.11.

    *) Bugfix: in embedded perl module; the bug had appeared in 0.8.11.


Changes with nginx 0.8.14                                        07 Sep 2009

    *) Bugfix: an expired cached response might stick in the "UPDATING"
       state.

    *) Bugfix: a segmentation fault might occur in worker process, if
       error_log was set to info or debug level.
       Thanks to Sergey Bochenkov.

    *) Bugfix: in embedded perl module; the bug had appeared in 0.8.11.

    *) Bugfix: an "error_page" directive did not redirect a 413 error; the
       bug had appeared in 0.6.10.


Changes with nginx 0.8.13                                        31 Aug 2009

    *) Bugfix: in the "aio sendfile" directive; the bug had appeared in
       0.8.12.

    *) Bugfix: nginx could not be built without the --with-file-aio option
       on FreeBSD; the bug had appeared in 0.8.12.


Changes with nginx 0.8.12                                        31 Aug 2009

    *) Feature: the "sendfile" parameter in the "aio" directive on FreeBSD.

    *) Bugfix: in try_files; the bug had appeared in 0.8.11.

    *) Bugfix: in memcached; the bug had appeared in 0.8.11.


Changes with nginx 0.8.11                                        28 Aug 2009

    *) Change: now directive "gzip_disable msie6" does not disable gzipping
       for MSIE 6.0 SV1.

    *) Feature: file AIO support on FreeBSD and Linux.

    *) Feature: the "directio_alignment" directive.


Changes with nginx 0.8.10                                        24 Aug 2009

    *) Bugfix: memory leaks if GeoIP City database was used.

    *) Bugfix: in copying temporary files to permanent storage area; the
       bug had appeared in 0.8.9.


Changes with nginx 0.8.9                                         17 Aug 2009

    *) Feature: now the start cache loader runs in a separate process; this
       should improve large caches handling.

    *) Feature: now temporary files and permanent storage area may reside
       at different file systems.


Changes with nginx 0.8.8                                         10 Aug 2009

    *) Bugfix: in handling FastCGI headers split in records.

    *) Bugfix: a segmentation fault occurred in worker process, if a
       request was handled in two proxied or FastCGIed locations and a
       caching was enabled in the first location; the bug had appeared in
       0.8.7.


Changes with nginx 0.8.7                                         27 Jul 2009

    *) Change: minimum supported OpenSSL version is 0.9.7.

    *) Change: the "ask" parameter of the "ssl_verify_client" directive was
       changed to the "optional" parameter and now it checks a client
       certificate if it was offered.
       Thanks to Brice Figureau.

    *) Feature: the $ssl_client_verify variable.
       Thanks to Brice Figureau.

    *) Feature: the "ssl_crl" directive.
       Thanks to Brice Figureau.

    *) Feature: the "proxy" parameter of the "geo" directive.

    *) Feature: the "image_filter" directive supports variables for setting
       size.

    *) Bugfix: the $ssl_client_cert variable usage corrupted memory; the
       bug had appeared in 0.7.7.
       Thanks to Sergey Zhuravlev.

    *) Bugfix: "proxy_pass_header" and "fastcgi_pass_header" directives did
       not pass to a client the "X-Accel-Redirect", "X-Accel-Limit-Rate",
       "X-Accel-Buffering", and "X-Accel-Charset" lines from backend
       response header.
       Thanks to Maxim Dounin.

    *) Bugfix: in handling "Last-Modified" and "Accept-Ranges" backend
       response header lines; the bug had appeared in 0.7.44.
       Thanks to Maxim Dounin.

    *) Bugfix: the "[alert] zero size buf" error if subrequest returns an
       empty response; the bug had appeared in 0.8.5.


Changes with nginx 0.8.6                                         20 Jul 2009

    *) Feature: the ngx_http_geoip_module.

    *) Bugfix: XSLT filter may fail with message "not well formed XML
       document" for valid XML document.
       Thanks to Kuramoto Eiji.

    *) Bugfix: now in MacOSX, Cygwin, and nginx/Windows locations given by
       a regular expression are always tested in case insensitive mode.

    *) Bugfix: now nginx/Windows ignores trailing dots in URI.
       Thanks to Hugo Leisink.

    *) Bugfix: name of file specified in --conf-path was not honored during
       installation; the bug had appeared in 0.6.6.
       Thanks to Maxim Dounin.


Changes with nginx 0.8.5                                         13 Jul 2009

    *) Bugfix: now nginx allows underscores in a request method.

    *) Bugfix: a 500 error code was returned for invalid login/password
       while HTTP Basic authentication on Windows.

    *) Bugfix: ngx_http_perl_module responses did not work in subrequests.

    *) Bugfix: in ngx_http_limit_req_module.
       Thanks to Maxim Dounin.
发表于 2009-10-17 18:32:37 | 显示全部楼层
原帖由 freebsd 于 2009-10-17 17:49 发表
晕,貌似是安全漏洞

哪里有详细说明?
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|小黑屋|全球主机交流论坛

GMT+8, 2024-4-19 17:52 , Processed in 0.092432 second(s), 8 queries , Gzip On, MemCache On.

Powered by Discuz! X3.4

© 2001-2023 Discuz! Team.

快速回复 返回顶部 返回列表