Categories
Nginx

Nginx 1.2.0 with Naxsi 0.45 and Passenger 3.0.12

Dotdeb’s packages of the long-awaited Nginx 1.2.0 are now available for Debian 6.0 “Squeeze” (amd64/i386) in five flavors : nginx-light, nginx-naxsi, nginx-full, nginx-passenger and nginx-extras.

This is a major release with a lot of improvements since the former 1.0 branch. Please take a look at Nginx’ official Changelog before upgrading.

On the Dotdeb side :

  • Naxsi, a high performance, low rules maintenance, Web Application Firewall module, has been upgraded to its 0.45 version. Please read its documentation fore more info.
  • Passenger has been upgraded to its 3.0.12 version.
  • Because nginx-passenger is now dedicated to Passenger, nginx-extras does not contain it anymore. Don’t forget to backup your configuration files when switching from nginx-extras to nginx-passenger.

If you want to know which module has been included in each Nginx flavor, you just have to look at this useful document.

Categories
Nginx

Security : Nginx 1.0.15

Nginx 1.0.15 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a buffer overflow in the ngx_http_mp4_module :

  • Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley.
  • Bugfix: in the ngx_http_mp4_module.

Upgrading is recommended if you’re using the nginx-extras packages.

Categories
Nginx Passenger

Nginx with 2 new flavors : Naxsi & Passenger

Dotdeb’s packages of Nginx 1.0.14 for Debian 6.0 “Squeeze” (amd64/i386) have been synchronized with Debian’s ones to benefit from the great work of Cyril Lavier.

As a consequence, two new flavors of Nginx are now available, in addition to the regular nginx-light, nginx-full and nginx-extras packages :

  • nginx-naxsi inherits from nginx-light with a great new feature : Naxsi, a high performance, low rules maintenance, Web Application Firewall module. Use it if you want to protect your web apps from malicious visitors. Please read its documentation fore more info.
  • nginx-passenger is dedicated to Passenger, the well-known Ruby on Rails runtime. Please also note that :
    • the passenger-common package has been renamed to ruby-passenger to stick to the Debian naming convention,
    • Passenger was already included in nginx-extras. To ease the migration (don’t forget to backup your configuration files), it will stay so until Nginx 1.2 is released.

If you want to know which module has been included in each Nginx flavor, you just have to look at this useful document.

Oh… One more thing : all the Nginx packages are now hardened against memory corruption attacks (no PIE support yet).

I really hope you’ll enjoy them. And many thanks to the Debian maintainers for their work, of course.

Categories
Nginx

Security : Nginx 1.0.14

Nginx 1.0.14 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a potential memory disclosure :

  • Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley.

Upgrading is strongly recommended.

Categories
Nginx

Nginx 1.0.13

Nginx 1.0.13 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

Here are the changes on the Dotdeb side :

  • nginx-upload-module has been added to nginx-extras
  • nginx-auth-pam has been added to nginx-extras and nginx-full. Closes #5.
  • http_secure_link_module has been added to nginx-full. Closes #3.
  • file-aio is now supported by all nginx flavors
  • ngxensite/ngxdissite scripts are available to enable/disable sites. Closes #4.

Please take a look at Nginx’ Changelog before upgrading.

Categories
Nginx

Nginx 1.0.12

Nginx 1.0.12 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

Here are the changes on the Dotdeb side :

  • Add the Cache purge module in nginx-full and nginx-extras
  • Use “default_server” instead of “default” in sites-available/default

Please take a look at Nginx’ Changelog before upgrading.

Categories
Nginx Passenger

Nginx 1.0.11 : Passenger 3.0.11 and Push stream support

Nginx 1.0.11 packages are now available :

  • for both Debian 6.0 “Squeeze” and 5.0 “Lenny”
  • for both amd64 and i386 architectures

Here are the changes on the Dotdeb side :

  • nginx-extras now includes the Push stream module, instead of the bogus HTTP Push. Please review your configuration.
  • nginx-extras now uses Passenger 3.0.11
Please take a look at Nginx’ and Passenger’s Changelogs before upgrading.

 

Categories
Nginx

Nginx 1.0.10

Nginx 1.0.10 has been released a few hours ago and is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

Here are the changes since the 1.0.9 release :

*) Bugfix: a segmentation fault might occur in a worker process if
      resolver got a big DNS response.
      Thanks to Ben Hawkes.

*) Bugfix: in cache key calculation if internal MD5 implementation was
      used; the bug had appeared in 1.0.4.

*) Bugfix: the module ngx_http_mp4_module sent incorrect
      "Content-Length" response header line if the "start" argument was
      used.
      Thanks to Piotr Sikora.
Categories
Nginx

Nginx 1.0.9

Nginx 1.0.9 has just been released, bringing 12 bug fixes.

The packages are now available on Dotdeb :

  • for both Debian 6.0 “Squeeze” and 5.0 “Lenny”,
  • for both amd64 and i386 architectures.

Take a look at the full list of changes before upgrading.

Categories
Nginx

Packages of Nginx 1.0.8 are available

A new stable version of Nginx, numbered 1.0.8, has been released two weeks ago. It brings bug fixes and a new mp4 module. Take a look at the full list of changes before upgrading.

Here are the changes on the Dotdeb side :

  • the Http Headers More module has been included in nginx-extras,
  • the Http Chunkin module has been included in nginx-extras,
  • nginx-light now supports the Http Stub Status module,
  • the HTTP Push module is still present in the nginx-extras package but it may be removed in future releases because of stability issues.

Nginx 1.0.8 is available :

  • for both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • for both amd64 and i386 architectures