Hi folks!
OpenResty 1.15.8.2 is a patch release addressing security
vulnerabilities in the HTTP/2 protocol which may cause excessive
memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
All previous NGINX cores supporting HTTP/2 are affected by this
issue (1.9.5 to 1.16.1). If you are serving HTTP/2 traffic with
*any* previous OpenResty release, upgrade to 1.15.8.2 or disable
HTTP/2.
Starting from this verison, we provide more official binary Yum/Apt
repositories for Red Hat Enterprise Linux (RHEL) 8 x86_64, OpenSUSE
Leap 15.1 x86_64, Debian 10 amd64, Fedora 30 x86_64, Amazon Linux 2
x86_64, and CentOS 7 aarch64 (arm64):
https://openresty.org/en/linux-packages.html
We will keep adding more official binary package repositories for
more Linux distributions in the future. However, we have
discontinued the maintainence of the official Apt repositories for
i386 Ubuntu systems due to the lack of interest from the community.
We also upgrade the PCRE and OpenSSL in our official Win32 and Win64
binary packages to their latest versions, 8.43 and 1.1.0k,
respectively.
Download this version here:
https://openresty.org/en/download.html
The (portable) source code distribution, the Win32/Win64 binary
distributions, and the pre-built binary Linux packages for Ubuntu,
Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on
this Download page.
This is the second OpenResty release based on the nginx 1.15.8 core.
Acknowledgments
We wish to thank the Netflix and Google security teams for their
efforts in discovering these vulnerabilities, as well as the NGINX
team for promptly patching them.
Thanks Thibault Charbonnier for helping this release.
Version highlights
* bugfix: applied the nginx core patch for new HTTP/2 security
advisories (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).
Full Changelog
Complete change logs since the last (formal) release, 1.15.8.1, can
be browsed in the page Change Log for 1.15.8.x:
https://openresty.org/en/changelog-1015008.html
Testing
We have run extensive testing on our Amazon EC2 test cluster and
ensured that all the components (including the Nginx core) play well
together. The latest test report can always be found here:
https://qa.openresty.org/
We also always run our OpenResty Edge commercial software based on
the latest open source version of OpenResty in our own global CDN
network (dubbed "mini CDN") powering our openresty.org and
openresty.com websites. See https://openresty.com/ for more details.
Feedback
Feedback on this release is more than welcome. Feel free to create
new [GitHub issues](https://github.com/openresty/openresty/issues)
or send emails to one of our mailing lists.
The Next Release
The next release will be based on a very recent nginx 1.17.x core and is
already near the corner. We have been working hard on this next
release for several months now. Stay tuned!
Thanks!
Best regards,
Yichun