pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/nginx
Module Name: pkgsrc
Committed By: wiz
Date: Mon Apr 20 09:52:56 UTC 2026
Modified Files:
pkgsrc/www/nginx: Makefile distinfo
pkgsrc/www/nginx/patches: patch-conf_nginx.conf
Log Message:
nginx: update to 1.30.0.
Changes with nginx 1.30.0 14 Apr 2026
*) 1.30.x stable branch.
Changes with nginx 1.29.8 07 Apr 2026
*) Feature: the "max_headers" directive.
Thanks to Maxim Dounin.
*) Feature: OpenSSL 4.0 compatibility.
*) Feature: now the "include" directive inside the "geo" block supports
wildcards.
*) Bugfix: in processing of HTTP 103 (Early Hints) responses from a
proxied backend.
*) Bugfix: the $request_port and $is_request_port variables were not
available in subrequests.
Changes with nginx 1.29.7 24 Mar 2026
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
Thanks to Calif.io in collaboration with Claude and Anthropic
Research.
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
Thanks to Prabhav Srinath (sprabhav7).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
Thanks to Xint Code and Pavel Kohout (Aisle Research).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
Thanks to Arkadi Vainbrand.
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan
University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
University).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
Thanks to Mufeed VH of Winfunc Research.
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
Changes with nginx 1.29.6 10 Mar 2026
*) Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive
supports the "route" and "drain" parameters.
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: "[crit] cache file ... contains invalid header" messages
might appear in logs when sending a cached HTTP/2 response.
*) Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
Thanks to Mufeed VH.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Andrew Lacambra.
*) Bugfix: nginx treated a comma as separator in the "Cookie" request
header line when evaluating "$cookie_..." variables.
*) Bugfix: in IMAP command literal argument parsing.
Changes with nginx 1.29.5 04 Feb 2026
*) Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream.
*) Bugfix: a response with multiple ranges might be larger than the
source response.
*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and
uwsgi backends.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.
*) Change: the logging level of the "ech_required" SSL error has been
lowered from "crit" to "info".
Changes with nginx 1.29.4 09 Dec 2025
*) Feature: the ngx_http_proxy_module supports HTTP/2.
*) Feature: Encrypted ClientHello TLS extension support when using
OpenSSL ECH feature branch; the "ssl_ech_file" directive.
Thanks to Stephen Farrell.
*) Change: validation of host and port in the request line, "Host"
header field, and ":authority" pseudo-header field has been changed
to follow RFC 3986.
*) Change: now a single LF used as a line terminator in a chunked
request or response body is considered an error.
*) Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation
fault might occur in a worker process; the bug had appeared in
1.29.1.
Thanks to Jan Svojanovsky.
*) Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive and "proxy_pass" with a URI were used.
Changes with nginx 1.29.3 28 Oct 2025
*) Feature: the "add_header_inherit" and "add_trailer_inherit"
directives.
*) Feature: the $request_port and $is_request_port variables.
*) Feature: the $ssl_sigalg and $ssl_client_sigalg variables.
*) Feature: the "volatile" parameter of the "geo" directive.
*) Feature: now certificate compression is available with BoringSSL.
*) Bugfix: now certificate compression is disabled with OCSP stapling.
Changes with nginx 1.29.2 07 Oct 2025
*) Feature: now nginx can be built with AWS-LC.
Thanks Samuel Chiang.
*) Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
*) Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
*) Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
Thanks to Vladimir Homutov.
*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
*) Bugfix: an XCLIENT command didn't use the xtext encoding.
Thanks to Igor Morgenstern of Aisle Research.
*) Bugfix: in SSL certificate caching during reconfiguration.
Changes with nginx 1.29.1 13 Aug 2025
*) Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).
*) Change: now TLSv1.3 certificate compression is disabled by default.
*) Feature: the "ssl_certificate_compression" directive.
*) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
*) Bugfix: the 103 response might be buffered when using HTTP/2 and the
"early_hints" directive.
*) Bugfix: in handling "Host" and ":authority" header lines with equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in the "none" parameter of the "smtp_auth" directive.
Changes with nginx 1.29.0 24 Jun 2025
*) Feature: support for response code 103 from proxy and gRPC backends;
the "early_hints" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
provider.
*) Feature: support for the "so_keepalive" parameter of the "listen"
directive on macOS.
*) Change: the logging level of SSL errors in a QUIC handshake has been
changed from "error" to "crit" for critical errors, and to "info" for
the rest; the logging level of unsupported QUIC transport parameters
has been lowered from "info" to "debug".
*) Change: the native nginx/Windows binary release is now built using
Windows SDK 10.
*) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or
ngx_http_v3_module modules were used.
*) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto
optimization if ngx_http_v3_module was used.
*) Bugfixes and improvements in HTTP/3.
To generate a diff of this commit:
cvs rdiff -u -r1.189 -r1.190 pkgsrc/www/nginx/Makefile
cvs rdiff -u -r1.139 -r1.140 pkgsrc/www/nginx/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/nginx/patches/patch-conf_nginx.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/nginx/Makefile
diff -u pkgsrc/www/nginx/Makefile:1.189 pkgsrc/www/nginx/Makefile:1.190
--- pkgsrc/www/nginx/Makefile:1.189 Wed Mar 4 05:56:31 2026
+++ pkgsrc/www/nginx/Makefile Mon Apr 20 09:52:56 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.189 2026/03/04 05:56:31 adam Exp $
+# $NetBSD: Makefile,v 1.190 2026/04/20 09:52:56 wiz Exp $
-DISTNAME= nginx-1.28.2
+DISTNAME= nginx-1.30.0
CATEGORIES= www
MASTER_SITES= https://nginx.org/download/
DISTFILES= ${DEFAULT_DISTFILES}
Index: pkgsrc/www/nginx/distinfo
diff -u pkgsrc/www/nginx/distinfo:1.139 pkgsrc/www/nginx/distinfo:1.140
--- pkgsrc/www/nginx/distinfo:1.139 Wed Mar 4 05:56:31 2026
+++ pkgsrc/www/nginx/distinfo Mon Apr 20 09:52:56 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.139 2026/03/04 05:56:31 adam Exp $
+$NetBSD: distinfo,v 1.140 2026/04/20 09:52:56 wiz Exp $
BLAKE2s (array-var-nginx-module-0.06.tar.gz) = fa6ad2a2ce3c3eba3f69287b224e9c01fcaca29a083394ab74f2f655d3e2138b
SHA512 (array-var-nginx-module-0.06.tar.gz) = bc72158856a1be18a26ee04c6b5b0f0a20bcce688610a493bf31e2a133e7eb12e11f7c18197a09a72b1513f6a08348ee5281b9d5b84cf43603539040ebd23c26
@@ -27,9 +27,9 @@ Size (naxsi-1.7-src-with-deps.tar.gz) =
BLAKE2s (nchan-1.3.7.tar.gz) = 27da0a52c9123186a321a01b02cb004eed0623110aafa6737dd43ceeff766010
SHA512 (nchan-1.3.7.tar.gz) = 585c6f9107b84354e7f6c587f85cf554dd5c213b1e3baa75e0aee0b28520afb9cffff1812c32e81541a1f25773fc58d1b92ce6bd9d85accc12f37841633eb79b
Size (nchan-1.3.7.tar.gz) = 665133 bytes
-BLAKE2s (nginx-1.28.2.tar.gz) = 8b0063a06851dab60f51b046633cecfb70d5ec397ce21b3c8f4b3af56303b9a1
-SHA512 (nginx-1.28.2.tar.gz) = 914aeaa816e1bb30d346015c7ac4998461fb4fca37df7a7b565b6e5583f21872b28ba41353f2caf620cf9fae71c6890fafb76b57cc4c79e8c949b221da204476
-Size (nginx-1.28.2.tar.gz) = 1282351 bytes
+BLAKE2s (nginx-1.30.0.tar.gz) = 681479e840b500b4562aa925d688fd49b382d7c87a185b2c44eab7491227379b
+SHA512 (nginx-1.30.0.tar.gz) = 9df502279583ea305e2d7a4cbe67c54cbcdb880f1caf010d582eea8839bda3bc6dd5e244bb79e848a70ad0c9fda9927cb8d9d8c5fc1bc49acc2da9e734543d7c
+Size (nginx-1.30.0.tar.gz) = 1324188 bytes
BLAKE2s (nginx-dav-ext-module-3.0.0.tar.gz) = 8e823ffd605d4fca00eb3ca92a0954ca35fb178397e0b990fea7d47580ee582f
SHA512 (nginx-dav-ext-module-3.0.0.tar.gz) = d0193ba90f1ef46c4e470630c4394bdf99d94fd2e3bd8be6cb2ba1655ec59944b1269025f032b79dc2c6dad366e54389ef6a6da2ddeb91d535a4027f2162fbde
Size (nginx-dav-ext-module-3.0.0.tar.gz) = 14558 bytes
@@ -68,4 +68,4 @@ SHA512 (vozlt-nginx-module-vts-bdb2699_G
Size (vozlt-nginx-module-vts-bdb2699_GH.tar.gz) = 185041 bytes
SHA1 (patch-auto_cc_conf) = 5e6a479ba419cd16dedeb3b4c47dc685d126ef6a
SHA1 (patch-auto_install) = 3b3a0f9f4c005b707664554fa57a58c9e3b7de60
-SHA1 (patch-conf_nginx.conf) = d2ca1954e9682b9d0007cc02e5841e3986ecf5c1
+SHA1 (patch-conf_nginx.conf) = 0b906e2347c80e32bad59798466dc260e43daf41
Index: pkgsrc/www/nginx/patches/patch-conf_nginx.conf
diff -u pkgsrc/www/nginx/patches/patch-conf_nginx.conf:1.3 pkgsrc/www/nginx/patches/patch-conf_nginx.conf:1.4
--- pkgsrc/www/nginx/patches/patch-conf_nginx.conf:1.3 Wed Apr 23 18:33:05 2025
+++ pkgsrc/www/nginx/patches/patch-conf_nginx.conf Mon Apr 20 09:52:56 2026
@@ -1,8 +1,8 @@
-$NetBSD: patch-conf_nginx.conf,v 1.3 2025/04/23 18:33:05 osa Exp $
+$NetBSD: patch-conf_nginx.conf,v 1.4 2026/04/20 09:52:56 wiz Exp $
Adapt config file for pkgsrc.
---- conf/nginx.conf.orig 2014-04-24 12:52:24.000000000 +0000
+--- conf/nginx.conf.orig 2026-04-14 13:10:11.000000000 +0000
+++ conf/nginx.conf
@@ -1,28 +1,29 @@
@@ -13,14 +13,14 @@ Adapt config file for pkgsrc.
-#error_log logs/error.log;
-#error_log logs/error.log notice;
-#error_log logs/error.log info;
--
--#pid logs/nginx.pid;
+#error_log %%NGINX_LOGDIR%%/error.log;
+#error_log %%NGINX_LOGDIR%%/error.log notice;
+#error_log %%NGINX_LOGDIR%%/error.log info;
+-#pid logs/nginx.pid;
+#pid %%NGINX_PIDDIR%%/nginx.pid;
+-
events {
+ # After increasing this value You probably should increase limit
+ # of file descriptors (for example in start_precmd in startup script)
@@ -42,9 +42,9 @@ Adapt config file for pkgsrc.
sendfile on;
#tcp_nopush on;
-@@ -38,10 +39,10 @@ http {
-
- #charset koi8-r;
+@@ -36,10 +37,10 @@ http {
+ listen 80;
+ server_name localhost;
- #access_log logs/host.access.log main;
+ #access_log %%NGINX_LOGDIR%%/host.access.log main;
@@ -55,7 +55,7 @@ Adapt config file for pkgsrc.
index index.html index.htm;
}
-@@ -51,7 +52,7 @@ http {
+@@ -49,7 +50,7 @@ http {
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
@@ -64,7 +64,7 @@ Adapt config file for pkgsrc.
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
-@@ -67,7 +68,7 @@ http {
+@@ -65,7 +66,7 @@ http {
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
@@ -73,7 +73,7 @@ Adapt config file for pkgsrc.
#}
# deny access to .htaccess files, if Apache's document root
-@@ -87,7 +88,7 @@ http {
+@@ -85,7 +86,7 @@ http {
# server_name somename alias another.alias;
# location / {
@@ -82,7 +82,7 @@ Adapt config file for pkgsrc.
# index index.html index.htm;
# }
#}
-@@ -109,7 +110,7 @@ http {
+@@ -107,7 +108,7 @@ http {
# ssl_prefer_server_ciphers on;
# location / {
Home |
Main Index |
Thread Index |
Old Index