Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2017-01-31 12:48:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2017-01-10 10:49:45.670265104 +0100 +++ /work/SRC/openSUSE:Factory/.nginx.new/nginx.changes 2017-02-03 17:51:12.798085634 +0100 @@ -1,0 +2,24 @@ +Mon Jan 30 14:07:32 UTC 2017 - mrueck...@suse.de + +- update to 1.11.9 + - Bugfix: nginx might hog CPU when using the stream module; the + bug had appeared in 1.11.5. + - Bugfix: EXTERNAL authentication mechanism in mail proxy was + accepted even if it was not enabled in the configuration. + - Bugfix: a segmentation fault might occur in a worker process if + the "ssl_verify_client" directive of the stream module was + used. + - Bugfix: the "ssl_verify_client" directive of the stream module + might not work. + - Bugfix: closing keepalive connections due to no free worker + connections might be too aggressive. Thanks to Joel + Cunningham. + - Bugfix: an incorrect response might be returned when using the + "sendfile" directive on FreeBSD and macOS; the bug had appeared + in 1.7.8. + - Bugfix: a truncated response might be stored in cache when + using the "aio_write" directive. + - Bugfix: a socket leak might occur when using the "aio_write" + directive. + +------------------------------------------------------------------- Old: ---- nginx-1.11.8.tar.gz New: ---- nginx-1.11.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.uXYgrL/_old 2017-02-03 17:51:13.769948609 +0100 +++ /var/tmp/diff_new_pack.uXYgrL/_new 2017-02-03 17:51:13.773948045 +0100 @@ -64,7 +64,7 @@ %define ngx_doc_dir %{_datadir}/doc/packages/%{name} # Name: nginx -Version: 1.11.8 +Version: 1.11.9 Release: 0 %define ngx_fancyindex_version 0.4.1 %define ngx_fancyindex_module_path ngx-fancyindex-%{ngx_fancyindex_version} @@ -171,7 +171,6 @@ sed -i "s/\/var\/run/\/run/" conf/nginx.conf %endif - %build ./configure \ --prefix=%{ngx_prefix}/ \ ++++++ nginx-1.11.8.tar.gz -> nginx-1.11.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/CHANGES new/nginx-1.11.9/CHANGES --- old/nginx-1.11.8/CHANGES 2016-12-27 15:23:14.000000000 +0100 +++ new/nginx-1.11.9/CHANGES 2017-01-24 15:02:25.000000000 +0100 @@ -1,4 +1,33 @@ +Changes with nginx 1.11.9 24 Jan 2017 + + *) Bugfix: nginx might hog CPU when using the stream module; the bug had + appeared in 1.11.5. + + *) Bugfix: EXTERNAL authentication mechanism in mail proxy was accepted + even if it was not enabled in the configuration. + + *) Bugfix: a segmentation fault might occur in a worker process if the + "ssl_verify_client" directive of the stream module was used. + + *) Bugfix: the "ssl_verify_client" directive of the stream module might + not work. + + *) Bugfix: closing keepalive connections due to no free worker + connections might be too aggressive. + Thanks to Joel Cunningham. + + *) Bugfix: an incorrect response might be returned when using the + "sendfile" directive on FreeBSD and macOS; the bug had appeared in + 1.7.8. + + *) Bugfix: a truncated response might be stored in cache when using the + "aio_write" directive. + + *) Bugfix: a socket leak might occur when using the "aio_write" + directive. + + Changes with nginx 1.11.8 27 Dec 2016 *) Feature: the "absolute_redirect" directive. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/CHANGES.ru new/nginx-1.11.9/CHANGES.ru --- old/nginx-1.11.8/CHANGES.ru 2016-12-27 15:23:12.000000000 +0100 +++ new/nginx-1.11.9/CHANGES.ru 2017-01-24 15:02:23.000000000 +0100 @@ -1,4 +1,32 @@ +Изменения в nginx 1.11.9 24.01.2017 + + *) Исправление: при использовании модуля stream nginx мог нагружать + процессор; ошибка появилась в 1.11.5. + + *) Исправление: метод аутентификации EXTERNAL в почтовом прокси-сервере + можно было использовать, даже если он не был разрешён в конфигурации. + + *) Исправление: при использовании директивы ssl_verify_client модуля + stream в рабочем процессе мог произойти segmentation fault. + + *) Исправление: директива ssl_verify_client модуля stream могла не + работать. + + *) Исправление: при исчерпании рабочим процессом свободных соединений + keepalive-соединения могли закрываться излишне агрессивно. + Спасибо Joel Cunningham. + + *) Исправление: при использовании директивы sendfile на FreeBSD и macOS + мог возвращаться некорректный ответ; ошибка появилась в 1.7.8. + + *) Исправление: при использовании директивы aio_write ответ мог + сохраняться в кэш не полностью. + + *) Исправление: при использовании директивы aio_write могла происходить + утечка сокетов. + + Изменения в nginx 1.11.8 27.12.2016 *) Добавление: директива absolute_redirect. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/LICENSE new/nginx-1.11.9/LICENSE --- old/nginx-1.11.8/LICENSE 2016-12-27 15:23:08.000000000 +0100 +++ new/nginx-1.11.9/LICENSE 2017-01-24 15:02:19.000000000 +0100 @@ -1,6 +1,6 @@ /* - * Copyright (C) 2002-2016 Igor Sysoev - * Copyright (C) 2011-2016 Nginx, Inc. + * Copyright (C) 2002-2017 Igor Sysoev + * Copyright (C) 2011-2017 Nginx, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/core/nginx.h new/nginx-1.11.9/src/core/nginx.h --- old/nginx-1.11.8/src/core/nginx.h 2016-12-27 15:23:08.000000000 +0100 +++ new/nginx-1.11.9/src/core/nginx.h 2017-01-24 15:02:19.000000000 +0100 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1011008 -#define NGINX_VERSION "1.11.8" +#define nginx_version 1011009 +#define NGINX_VERSION "1.11.9" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/core/ngx_buf.c new/nginx-1.11.9/src/core/ngx_buf.c --- old/nginx-1.11.8/src/core/ngx_buf.c 2016-12-27 15:23:08.000000000 +0100 +++ new/nginx-1.11.9/src/core/ngx_buf.c 2017-01-24 15:02:19.000000000 +0100 @@ -246,6 +246,9 @@ if (aligned <= cl->buf->file_last) { size = aligned - cl->buf->file_pos; } + + total += size; + break; } total += size; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/core/ngx_connection.c new/nginx-1.11.9/src/core/ngx_connection.c --- old/nginx-1.11.8/src/core/ngx_connection.c 2016-12-27 15:23:08.000000000 +0100 +++ new/nginx-1.11.9/src/core/ngx_connection.c 2017-01-24 15:02:19.000000000 +0100 @@ -13,7 +13,7 @@ ngx_os_io_t ngx_io; -static void ngx_drain_connections(void); +static void ngx_drain_connections(ngx_cycle_t *cycle); ngx_listening_t * @@ -1046,7 +1046,7 @@ c = ngx_cycle->free_connections; if (c == NULL) { - ngx_drain_connections(); + ngx_drain_connections((ngx_cycle_t *) ngx_cycle); c = ngx_cycle->free_connections; } @@ -1204,6 +1204,7 @@ if (c->reusable) { ngx_queue_remove(&c->queue); + ngx_cycle->reusable_connections_n--; #if (NGX_STAT_STUB) (void) ngx_atomic_fetch_add(ngx_stat_waiting, -1); @@ -1217,6 +1218,7 @@ ngx_queue_insert_head( (ngx_queue_t *) &ngx_cycle->reusable_connections_queue, &c->queue); + ngx_cycle->reusable_connections_n++; #if (NGX_STAT_STUB) (void) ngx_atomic_fetch_add(ngx_stat_waiting, 1); @@ -1226,18 +1228,20 @@ static void -ngx_drain_connections(void) +ngx_drain_connections(ngx_cycle_t *cycle) { - ngx_int_t i; + ngx_uint_t i, n; ngx_queue_t *q; ngx_connection_t *c; - for (i = 0; i < 32; i++) { - if (ngx_queue_empty(&ngx_cycle->reusable_connections_queue)) { + n = ngx_max(ngx_min(32, cycle->reusable_connections_n / 8), 1); + + for (i = 0; i < n; i++) { + if (ngx_queue_empty(&cycle->reusable_connections_queue)) { break; } - q = ngx_queue_last(&ngx_cycle->reusable_connections_queue); + q = ngx_queue_last(&cycle->reusable_connections_queue); c = ngx_queue_data(q, ngx_connection_t, queue); ngx_log_debug0(NGX_LOG_DEBUG_CORE, c->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/core/ngx_cycle.h new/nginx-1.11.9/src/core/ngx_cycle.h --- old/nginx-1.11.8/src/core/ngx_cycle.h 2016-12-27 15:23:08.000000000 +0100 +++ new/nginx-1.11.9/src/core/ngx_cycle.h 2017-01-24 15:02:19.000000000 +0100 @@ -53,6 +53,7 @@ ngx_uint_t modules_used; /* unsigned modules_used:1; */ ngx_queue_t reusable_connections_queue; + ngx_uint_t reusable_connections_n; ngx_array_t listening; ngx_array_t paths; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/event/ngx_event_pipe.c new/nginx-1.11.9/src/event/ngx_event_pipe.c --- old/nginx-1.11.8/src/event/ngx_event_pipe.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/event/ngx_event_pipe.c 2017-01-24 15:02:19.000000000 +0100 @@ -113,11 +113,24 @@ } #if (NGX_THREADS) + if (p->aio) { ngx_log_debug0(NGX_LOG_DEBUG_EVENT, p->log, 0, "pipe read upstream: aio"); return NGX_AGAIN; } + + if (p->writing) { + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, p->log, 0, + "pipe read upstream: writing"); + + rc = ngx_event_pipe_write_chain_to_temp_file(p); + + if (rc != NGX_OK) { + return rc; + } + } + #endif ngx_log_debug1(NGX_LOG_DEBUG_EVENT, p->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/http/ngx_http_upstream.c new/nginx-1.11.9/src/http/ngx_http_upstream.c --- old/nginx-1.11.8/src/http/ngx_http_upstream.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/http/ngx_http_upstream.c 2017-01-24 15:02:19.000000000 +0100 @@ -3848,9 +3848,24 @@ p = u->pipe; #if (NGX_THREADS) + + if (p->writing && !p->aio) { + + /* + * make sure to call ngx_event_pipe() + * if there is an incomplete aio write + */ + + if (ngx_event_pipe(p, 1) == NGX_ABORT) { + ngx_http_upstream_finalize_request(r, u, NGX_ERROR); + return; + } + } + if (p->writing) { return; } + #endif if (u->peer.connection) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/mail/ngx_mail_imap_handler.c new/nginx-1.11.9/src/mail/ngx_mail_imap_handler.c --- old/nginx-1.11.8/src/mail/ngx_mail_imap_handler.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/mail/ngx_mail_imap_handler.c 2017-01-24 15:02:19.000000000 +0100 @@ -356,6 +356,8 @@ } #endif + iscf = ngx_mail_get_module_srv_conf(s, ngx_mail_imap_module); + rc = ngx_mail_auth_parse(s, c); switch (rc) { @@ -383,8 +385,6 @@ case NGX_MAIL_AUTH_CRAM_MD5: - iscf = ngx_mail_get_module_srv_conf(s, ngx_mail_imap_module); - if (!(iscf->auth_methods & NGX_MAIL_AUTH_CRAM_MD5_ENABLED)) { return NGX_MAIL_PARSE_INVALID_COMMAND; } @@ -406,6 +406,10 @@ case NGX_MAIL_AUTH_EXTERNAL: + if (!(iscf->auth_methods & NGX_MAIL_AUTH_EXTERNAL_ENABLED)) { + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ngx_str_set(&s->out, imap_username); s->mail_state = ngx_imap_auth_external; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/mail/ngx_mail_pop3_handler.c new/nginx-1.11.9/src/mail/ngx_mail_pop3_handler.c --- old/nginx-1.11.8/src/mail/ngx_mail_pop3_handler.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/mail/ngx_mail_pop3_handler.c 2017-01-24 15:02:19.000000000 +0100 @@ -501,6 +501,10 @@ case NGX_MAIL_AUTH_EXTERNAL: + if (!(pscf->auth_methods & NGX_MAIL_AUTH_EXTERNAL_ENABLED)) { + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ngx_str_set(&s->out, pop3_username); s->mail_state = ngx_pop3_auth_external; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/mail/ngx_mail_smtp_handler.c new/nginx-1.11.9/src/mail/ngx_mail_smtp_handler.c --- old/nginx-1.11.8/src/mail/ngx_mail_smtp_handler.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/mail/ngx_mail_smtp_handler.c 2017-01-24 15:02:19.000000000 +0100 @@ -609,6 +609,8 @@ return NGX_OK; } + sscf = ngx_mail_get_module_srv_conf(s, ngx_mail_smtp_module); + rc = ngx_mail_auth_parse(s, c); switch (rc) { @@ -636,8 +638,6 @@ case NGX_MAIL_AUTH_CRAM_MD5: - sscf = ngx_mail_get_module_srv_conf(s, ngx_mail_smtp_module); - if (!(sscf->auth_methods & NGX_MAIL_AUTH_CRAM_MD5_ENABLED)) { return NGX_MAIL_PARSE_INVALID_COMMAND; } @@ -659,6 +659,10 @@ case NGX_MAIL_AUTH_EXTERNAL: + if (!(sscf->auth_methods & NGX_MAIL_AUTH_EXTERNAL_ENABLED)) { + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ngx_str_set(&s->out, smtp_username); s->mail_state = ngx_smtp_auth_external; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/os/unix/ngx_darwin_sendfile_chain.c new/nginx-1.11.9/src/os/unix/ngx_darwin_sendfile_chain.c --- old/nginx-1.11.8/src/os/unix/ngx_darwin_sendfile_chain.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/os/unix/ngx_darwin_sendfile_chain.c 2017-01-24 15:02:19.000000000 +0100 @@ -98,7 +98,7 @@ send += file_size; - if (header.count == 0) { + if (header.count == 0 && send < limit) { /* * create the trailer iovec and coalesce the neighbouring bufs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/os/unix/ngx_freebsd_sendfile_chain.c new/nginx-1.11.9/src/os/unix/ngx_freebsd_sendfile_chain.c --- old/nginx-1.11.8/src/os/unix/ngx_freebsd_sendfile_chain.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/os/unix/ngx_freebsd_sendfile_chain.c 2017-01-24 15:02:19.000000000 +0100 @@ -114,15 +114,23 @@ send += file_size; - /* create the trailer iovec and coalesce the neighbouring bufs */ + if (send < limit) { - cl = ngx_output_chain_to_iovec(&trailer, cl, limit - send, c->log); + /* + * create the trailer iovec and coalesce the neighbouring bufs + */ + + cl = ngx_output_chain_to_iovec(&trailer, cl, limit - send, + c->log); + if (cl == NGX_CHAIN_ERROR) { + return NGX_CHAIN_ERROR; + } - if (cl == NGX_CHAIN_ERROR) { - return NGX_CHAIN_ERROR; - } + send += trailer.size; - send += trailer.size; + } else { + trailer.count = 0; + } if (ngx_freebsd_use_tcp_nopush && c->tcp_nopush == NGX_TCP_NOPUSH_UNSET) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/os/unix/ngx_thread_cond.c new/nginx-1.11.9/src/os/unix/ngx_thread_cond.c --- old/nginx-1.11.8/src/os/unix/ngx_thread_cond.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/os/unix/ngx_thread_cond.c 2017-01-24 15:02:19.000000000 +0100 @@ -16,8 +16,6 @@ err = pthread_cond_init(cond, NULL); if (err == 0) { - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_cond_init(%p)", cond); return NGX_OK; } @@ -33,8 +31,6 @@ err = pthread_cond_destroy(cond); if (err == 0) { - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_cond_destroy(%p)", cond); return NGX_OK; } @@ -50,8 +46,6 @@ err = pthread_cond_signal(cond); if (err == 0) { - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_cond_signal(%p)", cond); return NGX_OK; } @@ -66,9 +60,6 @@ { ngx_err_t err; - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_cond_wait(%p) enter", cond); - err = pthread_cond_wait(cond, mtx); #if 0 @@ -76,8 +67,6 @@ #endif if (err == 0) { - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_cond_wait(%p) exit", cond); return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/os/unix/ngx_thread_mutex.c new/nginx-1.11.9/src/os/unix/ngx_thread_mutex.c --- old/nginx-1.11.8/src/os/unix/ngx_thread_mutex.c 2016-12-27 15:23:09.000000000 +0100 +++ new/nginx-1.11.9/src/os/unix/ngx_thread_mutex.c 2017-01-24 15:02:19.000000000 +0100 @@ -108,8 +108,6 @@ "pthread_mutexattr_destroy() failed"); } - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_mutex_init(%p)", mtx); return NGX_OK; } @@ -126,8 +124,6 @@ return NGX_ERROR; } - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_mutex_destroy(%p)", mtx); return NGX_OK; } @@ -137,9 +133,6 @@ { ngx_err_t err; - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_mutex_lock(%p) enter", mtx); - err = pthread_mutex_lock(mtx); if (err == 0) { return NGX_OK; @@ -163,8 +156,6 @@ #endif if (err == 0) { - ngx_log_debug1(NGX_LOG_DEBUG_CORE, log, 0, - "pthread_mutex_unlock(%p) exit", mtx); return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/stream/ngx_stream_proxy_module.c new/nginx-1.11.9/src/stream/ngx_stream_proxy_module.c --- old/nginx-1.11.8/src/stream/ngx_stream_proxy_module.c 2016-12-27 15:23:10.000000000 +0100 +++ new/nginx-1.11.9/src/stream/ngx_stream_proxy_module.c 2017-01-24 15:02:20.000000000 +0100 @@ -1534,8 +1534,9 @@ size = b->end - b->last; - if (size && src->read->ready && !src->read->delayed) { - + if (size && src->read->ready && !src->read->delayed + && !src->read->error) + { if (limit_rate) { limit = (off_t) limit_rate * (ngx_time() - u->start_sec + 1) - *received; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.11.8/src/stream/ngx_stream_ssl_module.c new/nginx-1.11.9/src/stream/ngx_stream_ssl_module.c --- old/nginx-1.11.8/src/stream/ngx_stream_ssl_module.c 2016-12-27 15:23:10.000000000 +0100 +++ new/nginx-1.11.9/src/stream/ngx_stream_ssl_module.c 2017-01-24 15:02:20.000000000 +0100 @@ -284,14 +284,19 @@ { long rc; X509 *cert; + ngx_int_t rv; ngx_connection_t *c; ngx_stream_ssl_conf_t *sslcf; + if (!s->ssl) { + return NGX_OK; + } + c = s->connection; sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); - if (s->ssl && c->ssl == NULL) { + if (c->ssl == NULL) { c->log->action = "SSL handshaking"; if (sslcf->ssl.ctx == NULL) { @@ -301,7 +306,11 @@ return NGX_ERROR; } - return ngx_stream_ssl_init_connection(&sslcf->ssl, c); + rv = ngx_stream_ssl_init_connection(&sslcf->ssl, c); + + if (rv != NGX_OK) { + return rv; + } } if (sslcf->verify) {