src/http/modules/perl/Makefile.PL | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 use build flags from environment for perl (dpkg-buildflags).
 Necessary for hardening flags.

src/http/modules/ngx_http_proxy_module.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix nginx proxy_pass buffer overflow
(CVE-2013-2070)

src/http/ngx_http_parse.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 fix cve-2013-4547

backport of changeset 5446:988c22615014 from the nginx repo.
http://hg.nginx.org/nginx/rev/988c22615014

src/event/ngx_event_openssl.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 fix cve-2014-3616, reuse cached ssl sessions in unrelated contexts

src/core/ngx_resolver.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 resolver: fixed possible segmentation fault on dns format error.

src/core/ngx_resolver.c | 26 26 + 0 - 0 !
1 file changed, 26 insertions(+)

 resolver: fixed crashes in timeout handler.

If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.

src/core/ngx_resolver.c | 21 15 + 6 - 0 !
1 file changed, 15 insertions(+), 6 deletions(-)

 resolver: fixed cname processing for several requests.

When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.

src/core/ngx_resolver.c | 36 19 + 17 - 0 !
1 file changed, 19 insertions(+), 17 deletions(-)

 resolver: changed the ngx_resolver_create_*_query() arguments.

No functional changes.

This is needed by the following change.

src/core/ngx_resolver.c | 52 33 + 19 - 0 !
src/core/ngx_resolver.h | 2 2 + 0 - 0 !
2 files changed, 35 insertions(+), 19 deletions(-)

 resolver: fixed use-after-free memory accesses with cname.

When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.

src/core/ngx_resolver.c | 22 19 + 3 - 0 !
1 file changed, 19 insertions(+), 3 deletions(-)

 resolver: limited cname recursion.

Previously, the recursion was only limited for cached responses.