Changes with nginx 1.7.5 16 Sep 2014

    *) Security: it was possible to reuse SSL sessions in unrelated contexts
       if a shared SSL session cache or the same TLS session ticket key was
       used for multiple "server" blocks (CVE-2014-3616).
       Thanks to Antoine Delignat-Lavaud.

    *) Change: now the "stub_status" directive does not require a parameter.

    *) Feature: the "always" parameter of the "add_header" directive.

    *) Feature: the "proxy_next_upstream_tries",
       "proxy_next_upstream_timeout", "fastcgi_next_upstream_tries",
       "fastcgi_next_upstream_timeout", "memcached_next_upstream_tries",
       "memcached_next_upstream_timeout", "scgi_next_upstream_tries",
       "scgi_next_upstream_timeout", "uwsgi_next_upstream_tries", and
       "uwsgi_next_upstream_timeout" directives.

    *) Bugfix: in the "if" parameter of the "access_log" directive.

    *) Bugfix: in the ngx_http_perl_module.
       Thanks to Piotr Sikora.

    *) Bugfix: the "listen" directive of the mail proxy module did not allow
       to specify more than two parameters.

    *) Bugfix: the "sub_filter" directive did not work with a string to
       replace consisting of a single character.

    *) Bugfix: requests might hang if resolver was used and a timeout
       occurred during a DNS request.

    *) Bugfix: in the ngx_http_spdy_module when using with AIO.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       "set" directive was used to change the "$http_...", "$sent_http_...",
       or "$upstream_http_..." variables.

    *) Bugfix: in memory allocation error handling.
       Thanks to Markus Linnala and Feng Gu.

CHANGES

@@ -1,4 +1,46 @@
 
+Changes with nginx 1.7.5                                         16 Sep 2014
+
+    *) Security: it was possible to reuse SSL sessions in unrelated contexts
+       if a shared SSL session cache or the same TLS session ticket key was
+       used for multiple "server" blocks (CVE-2014-3616).
+       Thanks to Antoine Delignat-Lavaud.
+
+    *) Change: now the "stub_status" directive does not require a parameter.
+
+    *) Feature: the "always" parameter of the "add_header" directive.
+
+    *) Feature: the "proxy_next_upstream_tries",
+       "proxy_next_upstream_timeout", "fastcgi_next_upstream_tries",
+       "fastcgi_next_upstream_timeout", "memcached_next_upstream_tries",
+       "memcached_next_upstream_timeout", "scgi_next_upstream_tries",
+       "scgi_next_upstream_timeout", "uwsgi_next_upstream_tries", and
+       "uwsgi_next_upstream_timeout" directives.
+
+    *) Bugfix: in the "if" parameter of the "access_log" directive.
+
+    *) Bugfix: in the ngx_http_perl_module.
+       Thanks to Piotr Sikora.
+
+    *) Bugfix: the "listen" directive of the mail proxy module did not allow
+       to specify more than two parameters.
+
+    *) Bugfix: the "sub_filter" directive did not work with a string to
+       replace consisting of a single character.
+
+    *) Bugfix: requests might hang if resolver was used and a timeout
+       occurred during a DNS request.
+
+    *) Bugfix: in the ngx_http_spdy_module when using with AIO.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if the
+       "set" directive was used to change the "$http_...", "$sent_http_...",
+       or "$upstream_http_..." variables.
+
+    *) Bugfix: in memory allocation error handling.
+       Thanks to Markus Linnala and Feng Gu.
+
+
 Changes with nginx 1.7.4                                         05 Aug 2014
 
     *) Security: pipelined commands were not discarded after STARTTLS

CHANGES.ru

@@ -1,4 +1,49 @@
 
+Изменения в nginx 1.7.5                                           16.09.2014
+
+    *) Безопасность: при использовании общего для нескольких блоков server
+       разделяемого кэша SSL-сессий или общего ключа для шифрования TLS
+       session tickets было возможно повторно использовать SSL-сессию в
+       контексте другого блока server (CVE-2014-3616).
+       Спасибо Antoine Delignat-Lavaud.
+
+    *) Изменение: директиву stub_status теперь можно указывать без
+       параметров.
+
+    *) Добавление: параметр always директивы add_header.
+
+    *) Добавление: директивы proxy_next_upstream_tries,
+       proxy_next_upstream_timeout, fastcgi_next_upstream_tries,
+       fastcgi_next_upstream_timeout, memcached_next_upstream_tries,
+       memcached_next_upstream_timeout, scgi_next_upstream_tries,
+       scgi_next_upstream_timeout, uwsgi_next_upstream_tries и
+       uwsgi_next_upstream_timeout.
+
+    *) Исправление: в параметре if директивы access_log.
+
+    *) Исправление: в модуле ngx_http_perl_module.
+       Спасибо Piotr Sikora.
+
+    *) Исправление: директива listen почтового прокси-сервера не позволяла
+       указать более двух параметров.
+
+    *) Исправление: директива sub_filter не работала с заменяемой строкой из
+       одного символа.
+
+    *) Исправление: запросы могли зависать, если использовался resolver и в
+       процессе обращения к DNS-серверу происходил таймаут.
+
+    *) Исправление: в модуле ngx_http_spdy_module при использовании
+       совместно с AIO.
+
+    *) Исправление: в рабочем процессе мог произойти segmentation fault,
+       если с помощью директивы set изменялись переменные "$http_...",
+       "$sent_http_..." или "$upstream_http_...".
+
+    *) Исправление: в обработке ошибок выделения памяти.
+       Спасибо Markus Linnala и Feng Gu.
+
+
 Изменения в nginx 1.7.4                                           05.08.2014
 
     *) Безопасность: pipelined-команды не отбрасывались после команды

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1007004
-#define NGINX_VERSION      "1.7.4"
+#define nginx_version      1007005
+#define NGINX_VERSION      "1.7.5"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/core/ngx_connection.c

@@ -951,40 +951,21 @@ ngx_close_connection(ngx_connection_t *c)
      * before we clean the connection
      */
 
-    ngx_mutex_lock(ngx_posted_events_mutex);
-
-    if (c->read->prev) {
-        ngx_delete_posted_event(c->read);
-    }
-
-    if (c->write->prev) {
-        ngx_delete_posted_event(c->write);
-    }
-
-    c->read->closed = 1;
-    c->write->closed = 1;
-
     ngx_unlock(&c->lock);
-    c->read->locked = 0;
-    c->write->locked = 0;
 
-    ngx_mutex_unlock(ngx_posted_events_mutex);
-
-#else
+#endif
 
-    if (c->read->prev) {
+    if (c->read->posted) {
         ngx_delete_posted_event(c->read);
     }
 
-    if (c->write->prev) {
+    if (c->write->posted) {
         ngx_delete_posted_event(c->write);
     }
 
     c->read->closed = 1;
     c->write->closed = 1;
 
-#endif
-
     ngx_reusable_connection(c, 0);
 
     log_error = c->log_error;

src/core/ngx_regex.c

@@ -149,7 +149,7 @@ ngx_regex_compile(ngx_regex_compile_t *rc)
 
     rc->regex = ngx_pcalloc(rc->pool, sizeof(ngx_regex_t));
     if (rc->regex == NULL) {
-        return NGX_ERROR;
+        goto nomem;
     }
 
     rc->regex->code = re;
@@ -159,7 +159,7 @@ ngx_regex_compile(ngx_regex_compile_t *rc)
     if (ngx_pcre_studies != NULL) {
         elt = ngx_list_push(ngx_pcre_studies);
         if (elt == NULL) {
-            return NGX_ERROR;
+            goto nomem;
         }
 
         elt->regex = rc->regex;
@@ -204,7 +204,15 @@ ngx_regex_compile(ngx_regex_compile_t *rc)
 
     rc->err.len = ngx_snprintf(rc->err.data, rc->err.len, p, &rc->pattern, n)
                   - rc->err.data;
-    return NGX_OK;
+    return NGX_ERROR;
+
+nomem:
+
+    rc->err.len = ngx_snprintf(rc->err.data, rc->err.len,
+                               "regex \"%V\" compilation failed: no memory",
+                               &rc->pattern)
+                  - rc->err.data;
+    return NGX_ERROR;
 }
 
 

src/core/ngx_resolver.c

@@ -417,7 +417,7 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
 
     /* lock name mutex */
 
-    if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
+    if (ctx->state == NGX_AGAIN) {
 
         hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
 
@@ -664,7 +664,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
         }
 
         ctx->event->handler = ngx_resolver_timeout_handler;
-        ctx->event->data = ctx;
+        ctx->event->data = rn;
         ctx->event->log = r->log;
         ctx->ident = -1;
 
@@ -857,7 +857,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
     }
 
     ctx->event->handler = ngx_resolver_timeout_handler;
-    ctx->event->data = ctx;
+    ctx->event->data = rn;
     ctx->event->log = r->log;
     ctx->ident = -1;
 
@@ -949,7 +949,7 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
 
     /* lock addr mutex */
 
-    if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
+    if (ctx->state == NGX_AGAIN) {
 
         switch (ctx->addr.sockaddr->sa_family) {
 
@@ -2790,13 +2790,21 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
 static void
 ngx_resolver_timeout_handler(ngx_event_t *ev)
 {
-    ngx_resolver_ctx_t  *ctx;
+    ngx_resolver_ctx_t   *ctx, *next;
+    ngx_resolver_node_t  *rn;
 
-    ctx = ev->data;
+    rn = ev->data;
+    ctx = rn->waiting;
+    rn->waiting = NULL;
+
+    do {
+        ctx->state = NGX_RESOLVE_TIMEDOUT;
+        next = ctx->next;
 
-    ctx->state = NGX_RESOLVE_TIMEDOUT;
+        ctx->handler(ctx);
 
-    ctx->handler(ctx);
+        ctx = next;
+    } while (ctx);
 }
 
 
@@ -3074,17 +3082,6 @@ ngx_udp_connect(ngx_udp_connection_t *uc)
 
     c->number = ngx_atomic_fetch_add(ngx_connection_counter, 1);
 
-#if (NGX_THREADS)
-
-    /* TODO: lock event when call completion handler */
-
-    rev->lock = &c->lock;
-    wev->lock = &c->lock;
-    rev->own_lock = &c->lock;
-    wev->own_lock = &c->lock;
-
-#endif
-
     ngx_log_debug3(NGX_LOG_DEBUG_EVENT, &uc->log, 0,
                    "connect to %V, fd:%d #%uA", &uc->server, s, c->number);
 

src/event/modules/ngx_devpoll_module.c

@@ -344,7 +344,8 @@ ngx_devpoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer,
     ngx_err_t           err;
     ngx_int_t           i;
     ngx_uint_t          level, instance;
-    ngx_event_t        *rev, *wev, **queue;
+    ngx_event_t        *rev, *wev;
+    ngx_queue_t        *queue;
     ngx_connection_t   *c;
     struct pollfd       pfd;
     struct dvpoll       dvp;
@@ -404,8 +405,6 @@ ngx_devpoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer,
         return NGX_ERROR;
     }
 
-    ngx_mutex_lock(ngx_posted_events_mutex);
-
     for (i = 0; i < events; i++) {
 
         fd = event_list[i].fd;
@@ -495,19 +494,13 @@ ngx_devpoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer,
         rev = c->read;
 
         if ((revents & POLLIN) && rev->active) {
-
-            if ((flags & NGX_POST_THREAD_EVENTS) && !rev->accept) {
-                rev->posted_ready = 1;
-
-            } else {
-                rev->ready = 1;
-            }
+            rev->ready = 1;
 
             if (flags & NGX_POST_EVENTS) {
-                queue = (ngx_event_t **) (rev->accept ?
-                               &ngx_posted_accept_events : &ngx_posted_events);
+                queue = rev->accept ? &ngx_posted_accept_events
+                                    : &ngx_posted_events;
 
-                ngx_locked_post_event(rev, queue);
+                ngx_post_event(rev, queue);
 
             } else {
                 instance = rev->instance;
@@ -523,25 +516,17 @@ ngx_devpoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer,
         wev = c->write;
 
         if ((revents & POLLOUT) && wev->active) {
-
-            if (flags & NGX_POST_THREAD_EVENTS) {
-                wev->posted_ready = 1;
-
-            } else {
-                wev->ready = 1;
-            }
+            wev->ready = 1;
 
             if (flags & NGX_POST_EVENTS) {
-                ngx_locked_post_event(wev, &ngx_posted_events);
+                ngx_post_event(wev, &ngx_posted_events);
 
             } else {
                 wev->handler(wev);
             }
         }
     }
 
-    ngx_mutex_unlock(ngx_posted_events_mutex);
-
     return NGX_OK;
 }