pdate nginx to v1.27.3

CHANGES

@@ -1,4 +1,31 @@
 
+Changes with nginx 1.27.3                                        26 Nov 2024
+
+    *) Feature: the "server" directive in the "upstream" block supports the
+       "resolve" parameter.
+
+    *) Feature: the "resolver" and "resolver_timeout" directives in the
+       "upstream" block.
+
+    *) Feature: SmarterMail specific mode support for IMAP LOGIN with
+       untagged CAPABILITY response in the mail proxy module.
+
+    *) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
+
+    *) Change: an IPv6 address in square brackets and no port can be
+       specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
+       "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as
+       client address in ngx_http_realip_module.
+
+    *) Bugfix: in the ngx_http_mp4_module.
+       Thanks to Nils Bars.
+
+    *) Bugfix: the "so_keepalive" parameter of the "listen" directive might
+       be handled incorrectly on DragonFly BSD.
+
+    *) Bugfix: in the "proxy_store" directive.
+
+
 Changes with nginx 1.27.2                                        02 Oct 2024
 
     *) Feature: SSL certificates, secret keys, and CRLs are now cached on

CHANGES.ru

@@ -1,4 +1,30 @@
 
+Изменения в nginx 1.27.3                                          26.11.2024
+
+    *) Добавление: директива server в блоке upstream поддерживает параметр
+       resolve.
+
+    *) Добавление: директивы resolver и resolver_timeout в блоке upstream.
+
+    *) Добавление: поддержка SmarterMail-специфичного режима IMAP LOGIN с
+       нетегированным ответом CAPABILITY в почтовом прокси-сервере.
+
+    *) Изменение: теперь протоколы TLSv1 и TLSv1.1 по умолчанию запрещены.
+
+    *) Изменение: IPv6-адрес в квадратных скобках без порта теперь можно
+       указывать в директивах proxy_bind, fastcgi_bind, grpc_bind,
+       memcached_bind, scgi_bind и uwsgi_bind, а также как адрес клиента в
+       модуле ngx_http_realip_module.
+
+    *) Исправление: в модуле ngx_http_mp4_module.
+       Спасибо Nils Bars.
+
+    *) Исправление: параметр so_keepalive директивы listen мог работать
+       некорректно на DragonFly BSD.
+
+    *) Исправление: в директиве proxy_store.
+
+
 Изменения в nginx 1.27.2                                          02.10.2024
 
     *) Добавление: SSL-сертификаты, секретные ключи и списки CRL теперь

README.md

@@ -80,4 +80,4 @@ server {
 }
 
 
-```
+```

SECURITY.md

@@ -1,20 +1,104 @@
 # Security Policy
 
-## Latest Versions
-
-We advise users to run the most recent mainline or stable release of nginx.
+This document provides an overview of security concerns related to nginx
+deployments, focusing on confidentiality, integrity, availability, and the
+implications of configurations and misconfigurations.
 
 ## Reporting a Vulnerability
 
 Please report any vulnerabilities via one of the following methods
 (in order of preference):
 
 1. [Report a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
-within this repository. We are using the Github workflow that allows us to
-manage vulnerabilities in a private manner and to interact with reporters
+within this repository. We are using the GitHub workflow that allows us to
+manage vulnerabilities in a private manner and interact with reporters
 securely.
 
 2. [Report directly to F5](https://www.f5.com/services/support/report-a-vulnerability).
 
 3. Report via email to [email protected].
 This method will be deprecated in the future.
+
+### Vulnerability Disclosure and Fix Process
+
+The nginx team expects that all suspected vulnerabilities be reported
+privately via the
+[Reporting a Vulnerability](SECURITY.md#reporting-a-vulnerability) guidelines.
+If a publicly released vulnerability is reported, we
+may request to handle it according to the private disclosure process.
+If the reporter agrees, we will follow the private disclosure process.
+
+Security fixes will be applied to all supported stable releases, as well
+as the mainline version, as applicable. We recommend using the most recent
+mainline or stable release of nginx. Fixes are created and tested by the core
+team using a GitHub private fork for security. If necessary, the reporter
+may be invited to contribute to the fork and assist with the solution.
+
+The nginx team is committed to responsible information disclosure with
+sufficient detail, such as the CVSS score and vector. Privately disclosed
+vulnerabilities are embargoed by default until the fix is released.
+Communications and fixes remain private until made public. As nginx is
+supported by F5, we generally follow the
+[F5 security vulnerability response policy](https://my.f5.com/manage/s/article/K4602).
+
+### Vulnerability Disclosure and Fix Service Level Objectives
+
+- We will acknowledge all vulnerability reports within 1 to 3 days.
+- Fixes will be developed and released within 90 days from the date of
+disclosure. If an extension is needed, we will work with the disclosing person.
+- Publicly disclosed (i.e., Zero-Day vulnerabilities) will be addressed ASAP.
+
+## Confidentiality, Integrity, and Availability
+
+### Confidentiality and Integrity
+
+Vulnerabilities compromising data confidentiality or integrity are considered
+the highest priority. Any issue leading to unauthorized data access, leaks, or
+manipulation will trigger the security release process.
+
+### Availability
+
+Availability issues must meet the following criteria to trigger the security
+release process:
+- Is present in a standard module included with nginx.
+- Arises from traffic that the module is designed to handle.
+- Resource exhaustion issues are not mitigated by existing timeout, rate
+limiting, or buffer size configurations, or applying changes is impractical.
+- Results in highly asymmetric, extreme resource consumption.
+
+Availability issues excluded from the security release process:
+- Local file content or upstream response content resulting only in worker
+process termination.
+- Issues with experimental features which result only in worker process
+termination.
+
+## Trusted Configurations and Misconfigurations
+
+In nginx, configuration files, modules, certificate/key pairs, nginx JavaScript,
+and local file content are considered trusted sources. Issues arising from
+loading or execution of these trusted components are not considered
+vulnerabilities. Operators are responsible for securing and maintaining the
+integrity of these sources. Misconfigurations can create vulnerabilities, and
+operators should implement configurations according to best practices, review
+them regularly, and apply security updates.
+
+## Data Plane vs. Control Plane
+
+The data plane handles traffic through nginx, directly interacting with user
+data. nginx inherently trusts the content and instructions from upstream
+servers. The control plane governs configuration, management, and orchestration.
+Misconfigurations or vulnerabilities in the control plane can cause improper
+behavior in the data plane.
+
+## Modules Under Scope
+
+The policy applies to all nginx modules included in this repository. Security
+considerations and attack vectors for each module will be identified, with
+recommended configurations to mitigate risks.
+
+## Debug Logging and Core Files
+
+Debug logs and core files produced by nginx may contain un-sanitized data,
+including sensitive information like client requests, server configurations,
+and private key material. These artifacts must be handled carefully to avoid
+exposing confidential data.

auto/lib/pcre/make

@@ -36,7 +36,8 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                        pcre2_valid_utf.c \
                        pcre2_xclass.c"
 
-        ngx_pcre_test="pcre2_convert.c \
+        ngx_pcre_test="pcre2_chkdint.c \
+                       pcre2_convert.c \
                        pcre2_extuni.c \
                        pcre2_find_bracket.c \
                        pcre2_script_run.c \

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1027002
-#define NGINX_VERSION      "1.27.2"
+#define nginx_version      1027003
+#define NGINX_VERSION      "1.27.3"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/core/ngx_cycle.c

@@ -38,7 +38,7 @@ static ngx_connection_t  dumb;
 ngx_cycle_t *
 ngx_init_cycle(ngx_cycle_t *old_cycle)
 {
-    void                *rv;
+    void                *rv, *data;
     char               **senv;
     ngx_uint_t           i, n;
     ngx_log_t           *log;
@@ -438,6 +438,8 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
         opart = &old_cycle->shared_memory.part;
         oshm_zone = opart->elts;
 
+        data = NULL;
+
         for (n = 0; /* void */ ; n++) {
 
             if (n >= opart->nelts) {
@@ -461,9 +463,13 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
                 continue;
             }
 
+            if (shm_zone[i].tag == oshm_zone[n].tag && shm_zone[i].noreuse) {
+                data = oshm_zone[n].data;
+                break;
+            }
+
             if (shm_zone[i].tag == oshm_zone[n].tag
-                && shm_zone[i].shm.size == oshm_zone[n].shm.size
-                && !shm_zone[i].noreuse)
+                && shm_zone[i].shm.size == oshm_zone[n].shm.size)
             {
                 shm_zone[i].shm.addr = oshm_zone[n].shm.addr;
 #if (NGX_WIN32)
@@ -490,7 +496,7 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
             goto failed;
         }
 
-        if (shm_zone[i].init(&shm_zone[i], NULL) != NGX_OK) {
+        if (shm_zone[i].init(&shm_zone[i], data) != NGX_OK) {
             goto failed;
         }
 

src/core/ngx_inet.c

@@ -639,7 +639,11 @@ ngx_parse_addr_port(ngx_pool_t *pool, ngx_addr_t *addr, u_char *text,
 
         p = ngx_strlchr(text, last, ']');
 
-        if (p == NULL || p == last - 1 || *++p != ':') {
+        if (p == last - 1) {
+            return ngx_parse_addr(pool, addr, text + 1, len - 2);
+        }
+
+        if (p == NULL || *++p != ':') {
             return NGX_DECLINED;
         }
 

src/event/ngx_event_openssl.c

@@ -1347,7 +1347,7 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 
     if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data);
+                      "SSL_CTX_set0_tmp_dh_pkey(\"%s\") failed", file->data);
 #if (OPENSSL_VERSION_NUMBER >= 0x3000001fL)
         EVP_PKEY_free(dh);
 #endif

src/event/ngx_event_openssl.h

@@ -187,6 +187,13 @@ typedef struct {
 #define NGX_SSL_TLSv1_3  0x0040
 
 
+#if (defined SSL_OP_NO_TLSv1_2 || defined SSL_OP_NO_TLSv1_3)
+#define NGX_SSL_DEFAULT_PROTOCOLS  (NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3)
+#else
+#define NGX_SSL_DEFAULT_PROTOCOLS  (NGX_SSL_TLSv1|NGX_SSL_TLSv1_1)
+#endif
+
+
 #define NGX_SSL_BUFFER   1
 #define NGX_SSL_CLIENT   2
 

src/event/ngx_event_openssl_cache.c

@@ -138,6 +138,8 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
     ngx_ssl_cache_type_t  *type;
     ngx_ssl_cache_node_t  *cn;
 
+    *err = NULL;
+
     if (ngx_ssl_cache_init_key(cf->pool, index, path, &id) != NGX_OK) {
         return NULL;
     }
@@ -183,6 +185,8 @@ ngx_ssl_cache_connection_fetch(ngx_pool_t *pool, ngx_uint_t index, char **err,
 {
     ngx_ssl_cache_key_t  id;
 
+    *err = NULL;
+
     if (ngx_ssl_cache_init_key(pool, index, path, &id) != NGX_OK) {
         return NULL;
     }

src/event/quic/ngx_event_quic_ack.c

@@ -631,13 +631,12 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
         case NGX_QUIC_FT_STREAM:
             qs = ngx_quic_find_stream(&qc->streams.tree, f->u.stream.stream_id);
 
-            if (qs) {
-                if (qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
-                    || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
-                {
-                    ngx_quic_free_frame(c, f);
-                    break;
-                }
+            if (qs == NULL
+                || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
+                || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
+            {
+                ngx_quic_free_frame(c, f);
+                break;
             }
 
             /* fall through */

src/event/quic/ngx_event_quic_openssl_compat.c

@@ -391,6 +391,7 @@ SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
 
     wbio = BIO_new(BIO_s_null());
     if (wbio == NULL) {
+        BIO_free(rbio);
         return 0;
     }