ubuntu/+source/nginx:ubuntu/xenial-security

Last commit made on 2018-11-07
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/nginx
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/nginx

Recent commits

7f02e68... by Marc Deslauriers on 2018-11-06

Import patches-unapplied version 1.10.3-0ubuntu0.16.04.3 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 51e1e5c69630b0286ce0887d9c4bd337d9d1ec98

New changelog entries:
  * SECURITY UPDATE: excessive memory consumption in HTTP/2 implementation
    - debian/patches/CVE-2018-16843.patch: add flood detection in
      src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2018-16843
  * SECURITY UPDATE: excessive CPU usage in HTTP/2 implementation
    - debian/patches/CVE-2018-16844-pre.patch: backport new
      http2_max_requests directive.
    - debian/patches/CVE-2018-16844.patch: limit the number of idle state
      switches in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    - CVE-2018-16844
  * SECURITY UPDATE: infinite loop in ngx_http_mp4_module
    - debian/patches/CVE-2018-16845.patch: fixed reading 64-bit atoms in
      src/http/modules/ngx_http_mp4_module.c.
    - CVE-2018-16845

51e1e5c... by Steve Beattie on 2017-07-12

Import patches-unapplied version 1.10.3-0ubuntu0.16.04.2 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: ce2df53a681e7f2a1dab83adca148c93b3b68abd

New changelog entries:
  * SECURITY UPDATE: integer overflow in range filter leading to
    information exposure
    - debian/patches/CVE-2017-7529.patch: add check to ensure size does
      not overflow
    - CVE-2017-7529

ce2df53... by Thomas Ward on 2017-02-11

Import patches-unapplied version 1.10.3-0ubuntu0.16.04.1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: fc077fe7f833738f4f72f60a0b18a8559f7ebd97

New changelog entries:
  * Stable Release Update (LP: #1663937)
  * New upstream release (1.10.3) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES-1.10
  * All Ubuntu specific changes from 1.10.0-0ubuntu1 through
    1.10.0-0ubuntu0.16.04.4 remain included.
  * Additional changes:
    * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.
    * debian/patches/cve-2016-4450.patch: Drop CVE patch as it is already
      included in the upstream source code in this upload.

fc077fe... by Marc Deslauriers on 2016-10-27

Import patches-unapplied version 1.10.0-0ubuntu0.16.04.4 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 7c2177d874e6f9c272c4913f41ebfc01e1e17ccd

New changelog entries:
  * SECURITY REGRESSION: config upgrade failure (LP: #1637058)
    - debian/nginx-common.config: fix return code so script doesn't exit.

7c2177d... by Marc Deslauriers on 2016-10-18

Import patches-unapplied version 1.10.0-0ubuntu0.16.04.3 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 5faa114834dc6caec7eac87f75dfeaf16a24f55c

New changelog entries:
  [ Christos Trochalakis ]
  * debian/nginx-common.postinst:
    + Secure log file handling (owner & permissions) against privilege
      escalation attacks. /var/log/nginx is now owned by root:adm.
      Thanks Dawid Golunski (http://legalhackers.com) for the report.
      Changing /var/log/nginx permissions effectively reopens #701112,
      since log files can be world-readable. This is a trade-off until
      a better log opening solution is implemented upstream (trac:376).
  * debian/control:
    Don't allow building against liblua5.1-0-dev on architectures
    that libluajit is available.

5faa114... by Thomas Ward on 2016-05-31

Import patches-unapplied version 1.10.0-0ubuntu0.16.04.2 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 544c77cb18551ed365e40d5b0aec63a3b5c89e12

New changelog entries:
  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

544c77c... by Thomas Ward on 2016-04-26

Import patches-unapplied version 1.10.0-0ubuntu0.16.04.1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: b100a2e83b3b938552e58fbedca71db098fb1cf0

New changelog entries:
  * Stable Release Update (LP: #1575212)
  * New upstream release (1.10.0) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES-1.10
  * All Ubuntu specific changes from 1.9.15-0ubuntu1 remain included.
  * Additional changes:
    * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.

b100a2e... by Thomas Ward on 2016-04-18

Import patches-unapplied version 1.9.15-0ubuntu1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 305f0eaded9556098a8259dea8c55d17951adc5f

New changelog entries:
  * New upstream release (1.9.15) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES (LP: #1572223)
  * All Ubuntu specific changes from 1.1.14-0ubuntu1, except noted below,
    remain included in this upload.
  * Remaining changes:
    * debian/control: Re-add libluajit-5.1-dev build-dependency, as it will
      only affect nginx-extras which is in Universe. This reduces the merge
      delta between Ubuntu and Debian slightly, as well. (LP: #1571444)
    * debian/patches/ubuntu-branding.patch: Refresh Ubuntu Branding patch.

305f0ea... by Thomas Ward on 2016-04-01

Import patches-unapplied version 1.9.14-0ubuntu1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 65b6f3e0006bd3a47c38c9675e46d24a11de9b96

New changelog entries:
  * New upstream release (1.9.14) - full changelog available at upstream
    website - htp://nginx.org/en/CHANGES (LP: #1566392)
  * All Ubuntu specific changes from 1.9.13-0ubuntu1, except noted below,
    remain included in this upload.
  * Remaining changes:
    * Enable HTTP/2 module for nginx-full, nginx-extras, and nginx-core
      (LP: #1565043)
      - debian/rules: Enable HTTP/2 module building in flavor rules
      - debian/control: Add HTTP/2 module to package descriptions.
    * debian/patches/ubuntu-branding.patch: Refresh Ubuntu Branding patch.

65b6f3e... by Thomas Ward on 2016-03-29

Import patches-unapplied version 1.9.13-0ubuntu1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: db73e5de28439198354f767e312f29f05b61442e

New changelog entries:
  * New upstream release (1.9.13) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES (LP: #1563393)
  * All Ubuntu specific changes from 1.9.12-0ubuntu1 remain included in
    this upload.
  * debian/patches/ubuntu-branding.patch: Refresh Ubuntu Branding patch.