diff options
author | nginx <nginx@nginx.org> | 2014-08-05 13:55:13 +0000 |
---|---|---|
committer | Jon Kolb <kolbyjack@gmail.com> | 2014-08-05 13:55:13 +0000 |
commit | 1fdff008eae31a85e7575079a43f1419aba9ba9b (patch) | |
tree | 2d8d21a4f48fac61511200bb548c18b26c6c02fe | |
parent | ea2dabd84d0a2d0153071484195ecd683b87e9ef (diff) | |
download | nginx-1.6.1.tar.gz |
Changes with nginx 1.6.1 05 Aug 2014v1.6.1
*) Security: pipelined commands were not discarded after STARTTLS
command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
Thanks to Chris Boulton.
*) Bugfix: the $uri variable might contain garbage when returning errors
with code 400.
Thanks to Sergey Bobrov.
*) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug
had appeared in 1.5.6.
Thanks to Svyatoslav Nikolsky.
-rw-r--r-- | CHANGES | 15 | ||||
-rw-r--r-- | CHANGES.ru | 16 | ||||
-rw-r--r-- | src/core/nginx.h | 4 | ||||
-rw-r--r-- | src/http/ngx_http_request.c | 2 | ||||
-rw-r--r-- | src/mail/ngx_mail_smtp_handler.c | 13 |
5 files changed, 48 insertions, 2 deletions
@@ -1,4 +1,19 @@ +Changes with nginx 1.6.1 05 Aug 2014 + + *) Security: pipelined commands were not discarded after STARTTLS + command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6. + Thanks to Chris Boulton. + + *) Bugfix: the $uri variable might contain garbage when returning errors + with code 400. + Thanks to Sergey Bobrov. + + *) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug + had appeared in 1.5.6. + Thanks to Svyatoslav Nikolsky. + + Changes with nginx 1.6.0 24 Apr 2014 *) 1.6.x stable branch. diff --git a/CHANGES.ru b/CHANGES.ru index 5915dd854..509603ca5 100644 --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,4 +1,20 @@ +Изменения в nginx 1.6.1 05.08.2014 + + *) Безопасность: pipelined-команды не отбрасывались после команды + STARTTLS в SMTP прокси-сервере (CVE-2014-3556); ошибка появилась в + 1.5.6. + Спасибо Chris Boulton. + + *) Исправление: переменная $uri могла содержать мусор при возврате + ошибок с кодом 400. + Спасибо Сергею Боброву. + + *) Исправление: в работе параметра none директивы smtp_auth; ошибка + появилась в 1.5.6. + Спасибо Святославу Никольскому. + + Изменения в nginx 1.6.0 24.04.2014 *) Стабильная ветка 1.6.x. diff --git a/src/core/nginx.h b/src/core/nginx.h index 0ef0f2e11..ac9f656e6 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1006000 -#define NGINX_VERSION "1.6.0" +#define nginx_version 1006001 +#define NGINX_VERSION "1.6.1" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 4bf9d1fcf..845ada322 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1071,6 +1071,8 @@ ngx_http_process_request_uri(ngx_http_request_t *r) cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); if (ngx_http_parse_complex_uri(r, cscf->merge_slashes) != NGX_OK) { + r->uri.len = 0; + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "client sent invalid request"); ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c index 52fe47523..46d703e2c 100644 --- a/src/mail/ngx_mail_smtp_handler.c +++ b/src/mail/ngx_mail_smtp_handler.c @@ -679,6 +679,11 @@ ngx_mail_smtp_mail(ngx_mail_session_t *s, ngx_connection_t *c) return NGX_OK; } + if (s->args.nelts == 0) { + ngx_str_set(&s->out, smtp_invalid_argument); + return NGX_OK; + } + arg = s->args.elts; arg += s->args.nelts - 1; @@ -713,6 +718,11 @@ ngx_mail_smtp_rcpt(ngx_mail_session_t *s, ngx_connection_t *c) return NGX_OK; } + if (s->args.nelts == 0) { + ngx_str_set(&s->out, smtp_invalid_argument); + return NGX_OK; + } + arg = s->args.elts; arg += s->args.nelts - 1; @@ -767,6 +777,9 @@ ngx_mail_smtp_starttls(ngx_mail_session_t *s, ngx_connection_t *c) ngx_str_null(&s->smtp_from); ngx_str_null(&s->smtp_to); + s->buffer->pos = s->buffer->start; + s->buffer->last = s->buffer->start; + c->read->handler = ngx_mail_starttls_handler; return NGX_OK; } |