For Xenial, also take into account the changes done between 1.10.0 and 1.10.3. Note the CVE issue is already fixed in the Security repository, but other bugfixes should probably be included.
Changes with nginx 1.10.3 31 Jan 2017 *) Bugfix: in the "add_after_body" directive when used with the "sub_filter" directive. *) Bugfix: unix domain listen sockets might not be inherited during binary upgrade on Linux. *) Bugfix: graceful shutdown of old worker processes might require infinite time when using HTTP/2. *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives client request body might be corrupted; the bug had appeared in 1.10.2. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.10.2. *) Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8. *) Bugfix: a truncated response might be stored in cache when using the "aio_write" directive. *) Bugfix: a socket leak might occur when using the "aio_write" directive. Changes with nginx 1.10.2 18 Oct 2016 *) Change: the "421 Misdirected Request" response now used when rejecting requests to a virtual server different from one negotiated during an SSL handshake; this improves interoperability with some HTTP/2 clients when using client certificates. *) Change: HTTP/2 clients can now start sending request body immediately; the "http2_body_preread_size" directive controls size of the buffer used before nginx will start reading client request body. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 and the "proxy_request_buffering" directive. *) Bugfix: the "Content-Length" request header line was always added to requests passed to backends, including requests without body, when using HTTP/2. *) Bugfix: "http request count is zero" alerts might appear in logs when using HTTP/2. *) Bugfix: unnecessary buffering might occur when using the "sub_filter" directive; the issue had appeared in 1.9.4. *) Bugfix: socket leak when using HTTP/2. *) Bugfix: an incorrect response might be returned when using the "aio threads" and "sendfile" directives; the bug had appeared in 1.9.13. *) Workaround: OpenSSL 1.1.0 compatibility. Changes with nginx 1.10.1 31 May 2016 *) Security: a segmentation fault might occur in a worker process while writing a specially crafted request body to a temporary file (CVE-2016-4450); the bug had appeared in 1.3.9. ** Description changed: - There are a lot of bugfixes in 1.10.3, including HTTP/2 fixes, that + [Impact] + + Two releases are affected: Xenial and Yakkety. + + There are a bunch of bugfixes in 1.10.3, including HTTP/2 fixes, that should be included in Ubuntu. This is detailed here in the upstream - changelog: + changelog from nginx: Changes with nginx 1.10.3 (31 Jan 2017) *) Bugfix: in the "add_after_body" directive when used with the "sub_filter" directive. *) Bugfix: unix domain listen sockets might not be inherited during binary upgrade on Linux. *) Bugfix: graceful shutdown of old worker processes might require infinite time when using HTTP/2. *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives client request body might be corrupted; the bug had appeared in 1.10.2. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.10.2. *) Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8. *) Bugfix: a truncated response might be stored in cache when using the "aio_write" directive. *) Bugfix: a socket leak might occur when using the "aio_write" directive. + + [Test Case] + + No test cases available as there are no bugs filed for any of these in + Ubuntu. However, due to HTTP/2, any 'bugs' in these which may corrupt + data or not kill worker processes correctly, or segfault, should be + addressed. + + [Regression Potential] + + All these bugfixes were tested upstream by the nginx team, and do not + pose a regression risk to the existing software versions or features of + Ubuntu in affected releases. + + [Other Info] + + I will be uploading nginx 1.10.3 directly to Zesty today, and then have + a merge ready by the end of the week for Zesty from Debian, which pulls + in dynamic module support, etc. This SRU is written here ahead of + having the Zesty update done, because this happens to be on my list of + things to get done before the Zesty update. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-4450 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1663937 Title: [SRU] Please update nginx in Xenial and Yakkety to 1.10.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1663937/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs