Package: nginx | Debian Sources

Package: nginx / 1.10.3-1+deb9u1~bpo8+2

Metadata

Package	Version	Patches format
nginx	1.10.3-1+deb9u1~bpo8+2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
perl use dpkg buildflags.patch \| (download)	src/http/modules/perl/Makefile.PL \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	use linker flags from environment for perl (dpkg-buildflags). Necessary for hardening flags.
0002 Make sure signature stays the same in all nginx buil.patch \| (download)	configure \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	make sure signature stays the same in all nginx builds NGX_HTTP_HEADERS is part of nginx signature. When a dyn modules is loaded the signature of the module is compared to the one of the nginx binary. dyn modules are build from nginx-full, so in order to make them loadable in other flavors we need to make sure all the binaries share the same signature.
0003 define_gnu_source on other glibc based platforms.patch \| (download)	src/os/unix/ngx_posix_config.h \| 5 4 + 1 - 0 ! 1 file changed, 4 insertions(+), 1 deletion(-)	use _gnu_source on gnu/kfreebsd Define _GNU_SOURCE not only on GNU/Hurd, but also other glibc-based platforms including GNU/kFreeBSD.
0004 SSL error messages style.patch \| (download)	src/event/ngx_event_openssl.c \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	ssl: error messages style.
0005 SSL style.patch \| (download)	src/event/ngx_event_openssl.c \| 8 4 + 4 - 0 ! 1 file changed, 4 insertions(+), 4 deletions(-)	ssl: style.
0006 SSL support for multiple curves ticket 885.patch \| (download)	src/event/ngx_event_openssl.c \| 53 48 + 5 - 0 ! src/http/modules/ngx_http_ssl_module.c \| 2 1 + 1 - 0 ! src/mail/ngx_mail_ssl_module.c \| 2 1 + 1 - 0 ! src/stream/ngx_stream_ssl_module.c \| 2 1 + 1 - 0 ! 4 files changed, 51 insertions(+), 8 deletions(-)	ssl: support for multiple curves (ticket #885). OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
CVE 2017 7529 Range filter.patch \| (download)	src/http/modules/ngx_http_range_filter_module.c \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	[patch] range filter: protect from total size overflows. The overflow can be used to circumvent the restriction on total size of ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow allows producing ranges with negative start (such ranges can be created by using a suffix, "bytes=-100"; normally this results in 200 due to the total size check). These can result in the following errors in logs: [crit] ... pread() ... failed (22: Invalid argument) [alert] ... sendfile() failed (22: Invalid argument) When using cache, it can be also used to reveal cache file header. It is believed that there are no other negative effects, at least with standard nginx modules. In theory, this can also result in memory disclosure and/or segmentation faults if multiple ranges are allowed, and the response is returned in a single in-memory buffer. This never happens with standard nginx modules though, as well as known 3rd party modules. Fix is to properly protect from possible overflow when incrementing size.

1