update nginx to v1.25.4

Author: webcpp

CHANGES

@@ -1,4 +1,47 @@
 
+Changes with nginx 1.25.4                                        14 Feb 2024
+
+    *) Security: when using HTTP/3 a segmentation fault might occur in a
+       worker process while processing a specially crafted QUIC session
+       (CVE-2024-24989, CVE-2024-24990).
+
+    *) Bugfix: connections with pending AIO operations might be closed
+       prematurely during graceful shutdown of old worker processes.
+
+    *) Bugfix: socket leak alerts no longer logged when fast shutdown was
+       requested after graceful shutdown of old worker processes.
+
+    *) Bugfix: a socket descriptor error, a socket leak, or a segmentation
+       fault in a worker process (for SSL proxying) might occur if AIO was
+       used in a subrequest.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if SSL
+       proxying was used along with the "image_filter" directive and errors
+       with code 415 were redirected with the "error_page" directive.
+
+    *) Bugfixes and improvements in HTTP/3.
+
+
+Changes with nginx 1.25.3                                        24 Oct 2023
+
+    *) Change: improved detection of misbehaving clients when using HTTP/2.
+
+    *) Feature: startup speedup when using a large number of locations.
+       Thanks to Yusuke Nojima.
+
+    *) Bugfix: a segmentation fault might occur in a worker process when
+       using HTTP/2 without SSL; the bug had appeared in 1.25.1.
+
+    *) Bugfix: the "Status" backend response header line with an empty
+       reason phrase was handled incorrectly.
+
+    *) Bugfix: memory leak during reconfiguration when using the PCRE2
+       library.
+       Thanks to ZhenZhong Wu.
+
+    *) Bugfixes and improvements in HTTP/3.
+
+
 Changes with nginx 1.25.2                                        15 Aug 2023
 
     *) Feature: path MTU discovery when using HTTP/3.

CHANGES.ru

@@ -1,4 +1,51 @@
 
+Изменения в nginx 1.25.4                                          14.02.2024
+
+    *) Безопасность: при использовании HTTP/3 в рабочем процессе мог
+       произойти segmentation fault во время обработки специально созданной
+       QUIC-сессии (CVE-2024-24989, CVE-2024-24990).
+
+    *) Исправление: соединения с незавершенными AIO-операциями могли
+       закрываться преждевременно во время плавного завершения старых
+       рабочих процессов.
+
+    *) Исправление: теперь nginx не пишет в лог сообщения об утечке сокетов,
+       если во время плавного завершения старых рабочих процессов было
+       запрошено быстрое завершение.
+
+    *) Исправление: при использовании AIO в подзапросе могла происходить
+       ошибка на сокете, утечка сокетов, либо segmentation fault в рабочем
+       процессе (при SSL-проксировании).
+
+    *) Исправление: в рабочем процессе мог произойти segmentation fault,
+       если использовалось SSL-проксирование и директива image_filter, а
+       ошибки с кодом 415 перенаправлялись с помощью директивы error_page.
+
+    *) Исправления и улучшения в HTTP/3.
+
+
+Изменения в nginx 1.25.3                                          24.10.2023
+
+    *) Изменение: улучшено детектирование некорректного поведения клиентов
+       при использовании HTTP/2.
+
+    *) Добавление: уменьшение времени запуска при использовании большого
+       количества location'ов.
+       Спасибо Yusuke Nojima.
+
+    *) Исправление: при использовании HTTP/2 без SSL в рабочем процессе мог
+       произойти segmentation fault; ошибка появилась в 1.25.1.
+
+    *) Исправление: строка "Status" в заголовке ответа бэкенда с пустой
+       поясняющей фразой обрабатывалась некорректно.
+
+    *) Исправление: утечки памяти во время переконфигурации при
+       использовании библиотеки PCRE2.
+       Спасибо ZhenZhong Wu.
+
+    *) Исправления и улучшения в HTTP/3.
+
+
 Изменения в nginx 1.25.2                                          15.08.2023
 
     *) Добавление: path MTU discovery при использовании HTTP/3.

LICENSE

@@ -1,6 +1,6 @@
 /* 
  * Copyright (C) 2002-2021 Igor Sysoev
- * Copyright (C) 2011-2023 Nginx, Inc.
+ * Copyright (C) 2011-2024 Nginx, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1025002
-#define NGINX_VERSION      "1.25.2"
+#define nginx_version      1025004
+#define NGINX_VERSION      "1.25.4"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/core/ngx_module.h

@@ -107,7 +107,12 @@
 #endif
 
 #define NGX_MODULE_SIGNATURE_17  "0"
+
+#if (NGX_QUIC || NGX_COMPAT)
+#define NGX_MODULE_SIGNATURE_18  "1"
+#else
 #define NGX_MODULE_SIGNATURE_18  "0"
+#endif
 
 #if (NGX_HAVE_OPENAT)
 #define NGX_MODULE_SIGNATURE_19  "1"

src/core/ngx_queue.c

@@ -9,6 +9,10 @@
 #include <ngx_core.h>
 
 
+static void ngx_queue_merge(ngx_queue_t *queue, ngx_queue_t *tail,
+    ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *));
+
+
 /*
  * find the middle queue element if the queue has odd number of elements
  * or the first element of the queue's second part otherwise
@@ -45,36 +49,58 @@ ngx_queue_middle(ngx_queue_t *queue)
 }
 
 
-/* the stable insertion sort */
+/* the stable merge sort */
 
 void
 ngx_queue_sort(ngx_queue_t *queue,
     ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *))
 {
-    ngx_queue_t  *q, *prev, *next;
+    ngx_queue_t  *q, tail;
 
     q = ngx_queue_head(queue);
 
     if (q == ngx_queue_last(queue)) {
         return;
     }
 
-    for (q = ngx_queue_next(q); q != ngx_queue_sentinel(queue); q = next) {
+    q = ngx_queue_middle(queue);
+
+    ngx_queue_split(queue, q, &tail);
+
+    ngx_queue_sort(queue, cmp);
+    ngx_queue_sort(&tail, cmp);
+
+    ngx_queue_merge(queue, &tail, cmp);
+}
+
 
-        prev = ngx_queue_prev(q);
-        next = ngx_queue_next(q);
+static void
+ngx_queue_merge(ngx_queue_t *queue, ngx_queue_t *tail,
+    ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *))
+{
+    ngx_queue_t  *q1, *q2;
 
-        ngx_queue_remove(q);
+    q1 = ngx_queue_head(queue);
+    q2 = ngx_queue_head(tail);
 
-        do {
-            if (cmp(prev, q) <= 0) {
-                break;
-            }
+    for ( ;; ) {
+        if (q1 == ngx_queue_sentinel(queue)) {
+            ngx_queue_add(queue, tail);
+            break;
+        }
 
-            prev = ngx_queue_prev(prev);
+        if (q2 == ngx_queue_sentinel(tail)) {
+            break;
+        }
+
+        if (cmp(q1, q2) <= 0) {
+            q1 = ngx_queue_next(q1);
+            continue;
+        }
 
-        } while (prev != ngx_queue_sentinel(queue));
+        ngx_queue_remove(q2);
+        ngx_queue_insert_before(q1, q2);
 
-        ngx_queue_insert_after(prev, q);
+        q2 = ngx_queue_head(tail);
     }
 }

src/core/ngx_queue.h

@@ -47,6 +47,9 @@ struct ngx_queue_s {
     (h)->prev = x
 
 
+#define ngx_queue_insert_before   ngx_queue_insert_tail
+
+
 #define ngx_queue_head(h)                                                     \
     (h)->next
 

src/core/ngx_regex.c

@@ -600,6 +600,8 @@ ngx_regex_cleanup(void *data)
      * the new cycle, these will be re-allocated.
      */
 
+    ngx_regex_malloc_init(NULL);
+
     if (ngx_regex_compile_context) {
         pcre2_compile_context_free(ngx_regex_compile_context);
         ngx_regex_compile_context = NULL;
@@ -611,6 +613,8 @@ ngx_regex_cleanup(void *data)
         ngx_regex_match_data_size = 0;
     }
 
+    ngx_regex_malloc_done();
+
 #endif
 }
 
@@ -706,9 +710,6 @@ ngx_regex_module_init(ngx_cycle_t *cycle)
     ngx_regex_malloc_done();
 
     ngx_regex_studies = NULL;
-#if (NGX_PCRE2)
-    ngx_regex_compile_context = NULL;
-#endif
 
     return NGX_OK;
 }

src/event/ngx_event_openssl.c

@@ -1105,7 +1105,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
     BIO               *rbio, *wbio;
     ngx_connection_t  *c;
 
-#ifndef SSL_OP_NO_RENEGOTIATION
+#if (!defined SSL_OP_NO_RENEGOTIATION                                         \
+     && !defined SSL_OP_NO_CLIENT_RENEGOTIATION)
 
     if ((where & SSL_CB_HANDSHAKE_START)
         && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
@@ -1838,18 +1839,17 @@ ngx_ssl_handshake(ngx_connection_t *c)
         c->read->ready = 1;
         c->write->ready = 1;
 
-#ifndef SSL_OP_NO_RENEGOTIATION
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#if (!defined SSL_OP_NO_RENEGOTIATION                                         \
+     && !defined SSL_OP_NO_CLIENT_RENEGOTIATION                               \
+     && defined SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS                             \
+     && OPENSSL_VERSION_NUMBER < 0x10100000L)
 
         /* initial handshake done, disable renegotiation (CVE-2009-3555) */
         if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
             c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
         }
 
 #endif
-#endif
-#endif
 
 #if (defined BIO_get_ktls_send && !NGX_WIN32)
 
@@ -2483,7 +2483,8 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
     int        sslerr;
     ngx_err_t  err;
 
-#ifndef SSL_OP_NO_RENEGOTIATION
+#if (!defined SSL_OP_NO_RENEGOTIATION                                         \
+     && !defined SSL_OP_NO_CLIENT_RENEGOTIATION)
 
     if (c->ssl->renegotiation) {
         /*
@@ -5186,6 +5187,9 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
     }
 
     curves = ngx_palloc(pool, n * sizeof(int));
+    if (curves == NULL) {
+        return NGX_ERROR;
+    }
 
     n = SSL_get1_curves(c->ssl->connection, curves);
     len = 0;

src/event/ngx_event_openssl.h

@@ -45,7 +45,7 @@
 
 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
 #undef OPENSSL_VERSION_NUMBER
-#if (LIBRESSL_VERSION_NUMBER >= 0x2080000fL)
+#if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL)
 #define OPENSSL_VERSION_NUMBER  0x1010000fL
 #else
 #define OPENSSL_VERSION_NUMBER  0x1000107fL

src/event/ngx_event_openssl_stapling.c

@@ -893,7 +893,7 @@ ngx_ssl_ocsp_validate(ngx_connection_t *c)
     ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
     ocsp->conf = ocf;
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 
     ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
 

src/event/ngx_event_pipe.c

@@ -57,7 +57,9 @@ ngx_event_pipe(ngx_event_pipe_t *p, ngx_int_t do_write)
         do_write = 1;
     }
 
-    if (p->upstream->fd != (ngx_socket_t) -1) {
+    if (p->upstream
+        && p->upstream->fd != (ngx_socket_t) -1)
+    {
         rev = p->upstream->read;
 
         flags = (rev->eof || rev->error) ? NGX_CLOSE_EVENT : 0;
@@ -108,7 +110,9 @@ ngx_event_pipe_read_upstream(ngx_event_pipe_t *p)
     ngx_msec_t    delay;
     ngx_chain_t  *chain, *cl, *ln;
 
-    if (p->upstream_eof || p->upstream_error || p->upstream_done) {
+    if (p->upstream_eof || p->upstream_error || p->upstream_done
+        || p->upstream == NULL)
+    {
         return NGX_OK;
     }