Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2017-07-25 11:40:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Tue Jul 25 11:40:34 2017 rev:14 rq:512240 version:1.13.3 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2017-06-01 16:35:05.883116194 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new/nginx.changes 2017-07-25 11:41:12.741429198 +0200 @@ -1,0 +2,24 @@ +Mon Jul 17 10:58:21 UTC 2017 - [email protected] + +- update to 1.13.3 (boo#1048265) + - Security: a specially crafted request might result in an + integer overflow and incorrect processing of ranges in the + range filter, potentially resulting in sensitive information + leak (CVE-2017-7529). +- changes from 1.13.2 + - Change: nginx now returns 200 instead of 416 when a range + starting with 0 is requested from an empty file. + - Feature: the "add_trailer" directive. Thanks to Piotr Sikora. + - Bugfix: nginx could not be built on Cygwin and NetBSD; the bug + had appeared in 1.13.0. + - Bugfix: nginx could not be built under MSYS2 / MinGW 64-bit. + Thanks to Orgad Shaneh. + - Bugfix: a segmentation fault might occur in a worker process + when using SSI with many includes and proxy_pass with + variables. + - Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora. +- update nginx-rtmp-module to 1.2.0: + - DASH improvements + - OpenSSL 1.1 compatibility + +------------------------------------------------------------------- Old: ---- nginx-1.13.1.tar.gz nginx-rtmp-module-1.1.10.tar.gz New: ---- nginx-1.13.3.tar.gz nginx-rtmp-module-1.2.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.OZTZ5T/_old 2017-07-25 11:41:13.345343935 +0200 +++ /var/tmp/diff_new_pack.OZTZ5T/_new 2017-07-25 11:41:13.349343370 +0200 @@ -64,7 +64,7 @@ %define ngx_doc_dir %{_datadir}/doc/packages/%{name} # Name: nginx -Version: 1.13.1 +Version: 1.13.3 Release: 0 %define ngx_fancyindex_version 0.4.1 %define ngx_fancyindex_module_path ngx-fancyindex-%{ngx_fancyindex_version} @@ -75,7 +75,7 @@ %define nginx_upstream_check_version 0.3.0 %define nginx_upstream_check_module_path nginx_upstream_check_module-%{nginx_upstream_check_version} -%define nginx_rtmp_version 1.1.10 +%define nginx_rtmp_version 1.2.0 %define nginx_rtmp_module_path nginx-rtmp-module-%{nginx_rtmp_version} Summary: A HTTP server and IMAP/POP3 proxy server ++++++ nginx-1.13.1.tar.gz -> nginx-1.13.3.tar.gz ++++++ ++++ 2179 lines of diff (skipped) ++++++ nginx-rtmp-module-1.1.10.tar.gz -> nginx-rtmp-module-1.2.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-rtmp-module-1.1.10/dash/ngx_rtmp_dash_module.c new/nginx-rtmp-module-1.2.0/dash/ngx_rtmp_dash_module.c --- old/nginx-rtmp-module-1.1.10/dash/ngx_rtmp_dash_module.c 2016-10-07 12:15:50.000000000 +0200 +++ new/nginx-rtmp-module-1.2.0/dash/ngx_rtmp_dash_module.c 2017-07-10 17:26:17.000000000 +0200 @@ -52,7 +52,7 @@ ngx_str_t playlist_bak; ngx_str_t name; ngx_str_t stream; - ngx_time_t start_time; + time_t start_time; ngx_uint_t nfrags; ngx_uint_t frag; @@ -228,8 +228,8 @@ ngx_rtmp_dash_app_conf_t *dacf; static u_char buffer[NGX_RTMP_DASH_BUFSIZE]; - static u_char start_time[sizeof("1970-09-28T12:00:00+06:00")]; - static u_char end_time[sizeof("1970-09-28T12:00:00+06:00")]; + static u_char start_time[sizeof("1970-09-28T12:00:00Z")]; + static u_char pub_time[sizeof("1970-09-28T12:00:00Z")]; dacf = ngx_rtmp_get_module_app_conf(s, ngx_rtmp_dash_module); ctx = ngx_rtmp_get_module_ctx(s, ngx_rtmp_dash_module); @@ -252,18 +252,16 @@ return NGX_ERROR; } - #define NGX_RTMP_DASH_MANIFEST_HEADER \ "<?xml version=\"1.0\"?>\n" \ "<MPD\n" \ " type=\"dynamic\"\n" \ " xmlns=\"urn:mpeg:dash:schema:mpd:2011\"\n" \ " availabilityStartTime=\"%s\"\n" \ - " availabilityEndTime=\"%s\"\n" \ + " publishTime=\"%s\"\n" \ " minimumUpdatePeriod=\"PT%uiS\"\n" \ " minBufferTime=\"PT%uiS\"\n" \ - " timeShiftBufferDepth=\"PT0H0M0.00S\"\n" \ - " suggestedPresentationDelay=\"PT%uiS\"\n" \ + " timeShiftBufferDepth=\"PT%uiS\"\n" \ " profiles=\"urn:hbbtv:dash:profile:isoff-live:2012," \ "urn:mpeg:dash:profile:isoff-live:2011\"\n" \ " xmlns:xsi=\"http://www.w3.org/2011/XMLSchema-instance\"\n"; \ @@ -285,11 +283,9 @@ " width=\"%ui\"\n" \ " height=\"%ui\"\n" \ " frameRate=\"%ui\"\n" \ - " sar=\"1:1\"\n" \ " startWithSAP=\"1\"\n" \ " bandwidth=\"%ui\">\n" \ " <SegmentTemplate\n" \ - " presentationTimeOffset=\"0\"\n" \ " timescale=\"1000\"\n" \ " media=\"%V%s$Time$.m4v\"\n" \ " initialization=\"%V%sinit.m4v\">\n" \ @@ -323,7 +319,6 @@ " startWithSAP=\"1\"\n" \ " bandwidth=\"%ui\">\n" \ " <SegmentTemplate\n" \ - " presentationTimeOffset=\"0\"\n" \ " timescale=\"1000\"\n" \ " media=\"%V%s$Time$.m4a\"\n" \ " initialization=\"%V%sinit.m4a\">\n" \ @@ -341,38 +336,33 @@ " </Period>\n" \ "</MPD>\n" - ngx_libc_localtime(ctx->start_time.sec + - ngx_rtmp_dash_get_frag(s, 0)->timestamp / 1000, &tm); + ngx_libc_gmtime(ctx->start_time, &tm); - *ngx_sprintf(start_time, "%4d-%02d-%02dT%02d:%02d:%02d%c%02d:%02d", - tm.tm_year + 1900, tm.tm_mon + 1, - tm.tm_mday, tm.tm_hour, - tm.tm_min, tm.tm_sec, - ctx->start_time.gmtoff < 0 ? '-' : '+', - ngx_abs(ctx->start_time.gmtoff / 60), - ngx_abs(ctx->start_time.gmtoff % 60)) = 0; - - ngx_libc_localtime(ctx->start_time.sec + - (ngx_rtmp_dash_get_frag(s, ctx->nfrags - 1)->timestamp + - ngx_rtmp_dash_get_frag(s, ctx->nfrags - 1)->duration) / - 1000, &tm); - - *ngx_sprintf(end_time, "%4d-%02d-%02dT%02d:%02d:%02d%c%02d:%02d", - tm.tm_year + 1900, tm.tm_mon + 1, - tm.tm_mday, tm.tm_hour, - tm.tm_min, tm.tm_sec, - ctx->start_time.gmtoff < 0 ? '-' : '+', - ngx_abs(ctx->start_time.gmtoff / 60), - ngx_abs(ctx->start_time.gmtoff % 60)) = 0; + ngx_sprintf(start_time, "%4d-%02d-%02dT%02d:%02d:%02dZ%Z", + tm.tm_year + 1900, tm.tm_mon + 1, + tm.tm_mday, tm.tm_hour, + tm.tm_min, tm.tm_sec); + + ngx_libc_gmtime(ngx_time(), &tm); + + ngx_sprintf(pub_time, "%4d-%02d-%02dT%02d:%02d:%02dZ%Z", + tm.tm_year + 1900, tm.tm_mon + 1, + tm.tm_mday, tm.tm_hour, + tm.tm_min, tm.tm_sec); last = buffer + sizeof(buffer); p = ngx_slprintf(buffer, last, NGX_RTMP_DASH_MANIFEST_HEADER, start_time, - end_time, + pub_time, (ngx_uint_t) (dacf->fraglen / 1000), (ngx_uint_t) (dacf->fraglen / 1000), - (ngx_uint_t) (dacf->fraglen / 500)); + (ngx_uint_t) (dacf->fraglen / 250 + 1)); + + /* + * timeShiftBufferDepth formula: + * 2 * minBufferTime + max_fragment_length + 1 + */ n = ngx_write_fd(fd, buffer, p - buffer); @@ -952,7 +942,7 @@ "dash: playlist='%V' playlist_bak='%V' stream_pattern='%V'", &ctx->playlist, &ctx->playlist_bak, &ctx->stream); - ctx->start_time = *ngx_cached_time; + ctx->start_time = ngx_time(); if (ngx_rtmp_dash_ensure_directory(s) != NGX_OK) { return NGX_ERROR; @@ -1008,6 +998,11 @@ f->duration = timestamp - f->timestamp; hit = (f->duration >= dacf->fraglen); + /* keep fragment lengths within 2x factor for dash.js */ + if (f->duration >= dacf->fraglen * 2) { + boundary = 1; + } + } else { /* sometimes clients generate slightly unordered frames */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-rtmp-module-1.1.10/ngx_rtmp.h new/nginx-rtmp-module-1.2.0/ngx_rtmp.h --- old/nginx-rtmp-module-1.1.10/ngx_rtmp.h 2016-10-07 12:15:50.000000000 +0200 +++ new/nginx-rtmp-module-1.2.0/ngx_rtmp.h 2017-07-10 17:26:17.000000000 +0200 @@ -135,6 +135,8 @@ #define NGX_RTMP_MSG_AGGREGATE 22 #define NGX_RTMP_MSG_MAX 22 +#define NGX_RTMP_MAX_CHUNK_SIZE 10485760 + #define NGX_RTMP_CONNECT NGX_RTMP_MSG_MAX + 1 #define NGX_RTMP_DISCONNECT NGX_RTMP_MSG_MAX + 2 #define NGX_RTMP_HANDSHAKE_DONE NGX_RTMP_MSG_MAX + 3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-rtmp-module-1.1.10/ngx_rtmp_handler.c new/nginx-rtmp-module-1.2.0/ngx_rtmp_handler.c --- old/nginx-rtmp-module-1.1.10/ngx_rtmp_handler.c 2016-10-07 12:15:50.000000000 +0200 +++ new/nginx-rtmp-module-1.2.0/ngx_rtmp_handler.c 2017-07-10 17:26:17.000000000 +0200 @@ -821,6 +821,12 @@ ngx_log_debug1(NGX_LOG_DEBUG_RTMP, s->connection->log, 0, "setting chunk_size=%ui", size); + if (size > NGX_RTMP_MAX_CHUNK_SIZE) { + ngx_log_error(NGX_LOG_ALERT, s->connection->log, 0, + "too big RTMP chunk size:%ui", size); + return NGX_ERROR; + } + cscf = ngx_rtmp_get_module_srv_conf(s, ngx_rtmp_core_module); s->in_old_pool = s->in_pool; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-rtmp-module-1.1.10/ngx_rtmp_handshake.c new/nginx-rtmp-module-1.2.0/ngx_rtmp_handshake.c --- old/nginx-rtmp-module-1.1.10/ngx_rtmp_handshake.c 2016-10-07 12:15:50.000000000 +0200 +++ new/nginx-rtmp-module-1.2.0/ngx_rtmp_handshake.c 2017-07-10 17:26:17.000000000 +0200 @@ -104,30 +104,37 @@ ngx_rtmp_make_digest(ngx_str_t *key, ngx_buf_t *src, u_char *skip, u_char *dst, ngx_log_t *log) { - static HMAC_CTX hmac; - static unsigned hmac_initialized; + static HMAC_CTX *hmac; unsigned int len; - if (!hmac_initialized) { - HMAC_CTX_init(&hmac); - hmac_initialized = 1; + if (hmac == NULL) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + static HMAC_CTX shmac; + hmac = &shmac; + HMAC_CTX_init(hmac); +#else + hmac = HMAC_CTX_new(); + if (hmac == NULL) { + return NGX_ERROR; + } +#endif } - HMAC_Init_ex(&hmac, key->data, key->len, EVP_sha256(), NULL); + HMAC_Init_ex(hmac, key->data, key->len, EVP_sha256(), NULL); if (skip && src->pos <= skip && skip <= src->last) { if (skip != src->pos) { - HMAC_Update(&hmac, src->pos, skip - src->pos); + HMAC_Update(hmac, src->pos, skip - src->pos); } if (src->last != skip + NGX_RTMP_HANDSHAKE_KEYLEN) { - HMAC_Update(&hmac, skip + NGX_RTMP_HANDSHAKE_KEYLEN, + HMAC_Update(hmac, skip + NGX_RTMP_HANDSHAKE_KEYLEN, src->last - skip - NGX_RTMP_HANDSHAKE_KEYLEN); } } else { - HMAC_Update(&hmac, src->pos, src->last - src->pos); + HMAC_Update(hmac, src->pos, src->last - src->pos); } - HMAC_Final(&hmac, dst, &len); + HMAC_Final(hmac, dst, &len); return NGX_OK; }
