nginx: updated to 1.16.0

Changes with nginx 1.16.0                                        23 Apr 2019

    *) 1.16.x stable branch.


Changes with nginx 1.15.12                                       16 Apr 2019

    *) Bugfix: a segmentation fault might occur in a worker process if
       variables were used in the "ssl_certificate" or "ssl_certificate_key"
       directives and OCSP stapling was enabled.


Changes with nginx 1.15.11                                       09 Apr 2019

    *) Bugfix: in the "ssl_stapling_file" directive on Windows.


Changes with nginx 1.15.10                                       26 Mar 2019

    *) Change: when using a hostname in the "listen" directive nginx now
       creates listening sockets for all addresses the hostname resolves to
       (previously, only the first address was used).

    *) Feature: port ranges in the "listen" directive.

    *) Feature: loading of SSL certificates and secret keys from variables.

    *) Workaround: the $ssl_server_name variable might be empty when using
       OpenSSL 1.1.1.

    *) Bugfix: nginx/Windows could not be built with Visual Studio 2015 or
       newer; the bug had appeared in 1.15.9.


Changes with nginx 1.15.9                                        26 Feb 2019

    *) Feature: variables support in the "ssl_certificate" and
       "ssl_certificate_key" directives.

    *) Feature: the "poll" method is now available on Windows when using
       Windows Vista or newer.

    *) Bugfix: if the "select" method was used on Windows and an error
       occurred while establishing a backend connection, nginx waited for
       the connection establishment timeout to expire.

    *) Bugfix: the "proxy_upload_rate" and "proxy_download_rate" directives
       in the stream module worked incorrectly when proxying UDP datagrams.


Changes with nginx 1.15.8                                        25 Dec 2018

    *) Feature: the $upstream_bytes_sent variable.
       Thanks to Piotr Sikora.

    *) Feature: new directives in vim syntax highlighting scripts.
       Thanks to Gena Makhomed.

    *) Bugfix: in the "proxy_cache_background_update" directive.

    *) Bugfix: in the "geo" directive when using unix domain listen sockets.

    *) Workaround: the "ignoring stale global SSL error ... bad length"
       alerts might appear in logs when using the "ssl_early_data" directive
       with OpenSSL.

    *) Bugfix: in nginx/Windows.

    *) Bugfix: in the ngx_http_autoindex_module on 32-bit platforms.


Changes with nginx 1.15.7                                        27 Nov 2018

    *) Feature: the "proxy_requests" directive in the stream module.

    *) Feature: the "delay" parameter of the "limit_req" directive.
       Thanks to Vladislav Shabanov and Peter Shchuchkin.

    *) Bugfix: memory leak on errors during reconfiguration.

    *) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
       $upstream_header_time variables.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       ngx_http_mp4_module was used on 32-bit platforms.


Changes with nginx 1.15.6                                        06 Nov 2018

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).

    *) Security: processing of a specially crafted mp4 file with the
       ngx_http_mp4_module might result in worker process memory disclosure
       (CVE-2018-16845).

    *) Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive",
       "grpc_socket_keepalive", "memcached_socket_keepalive",
       "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.

    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.

    *) Bugfix: working with gRPC backends might result in excessive memory
       consumption.


Changes with nginx 1.15.5                                        02 Oct 2018

    *) Bugfix: a segmentation fault might occur in a worker process when
       using OpenSSL 1.1.0h or newer; the bug had appeared in 1.15.4.

    *) Bugfix: of minor potential bugs.


Changes with nginx 1.15.4                                        25 Sep 2018

    *) Feature: now the "ssl_early_data" directive can be used with OpenSSL.

    *) Bugfix: in the ngx_http_uwsgi_module.
       Thanks to Chris Caputo.

    *) Bugfix: connections with some gRPC backends might not be cached when
       using the "keepalive" directive.

    *) Bugfix: a socket leak might occur when using the "error_page"
       directive to redirect early request processing errors, notably errors
       with code 400.

    *) Bugfix: the "return" directive did not change the response code when
       returning errors if the request was redirected by the "error_page"
       directive.

    *) Bugfix: standard error pages and responses of the
       ngx_http_autoindex_module module used the "bgcolor" attribute, and
       might be displayed incorrectly when using custom color settings in
       browsers.
       Thanks to Nova DasSarma.

    *) Change: the logging level of the "no suitable key share" and "no
       suitable signature algorithm" SSL errors has been lowered from "crit"
       to "info".


Changes with nginx 1.15.3                                        28 Aug 2018

    *) Feature: now TLSv1.3 can be used with BoringSSL.

    *) Feature: the "ssl_early_data" directive, currently available with
       BoringSSL.

    *) Feature: the "keepalive_timeout" and "keepalive_requests" directives
       in the "upstream" block.

    *) Bugfix: the ngx_http_dav_module did not truncate destination file
       when copying a file over an existing one with the COPY method.

    *) Bugfix: the ngx_http_dav_module used zero access rights on the
       destination file and did not preserve file modification time when
       moving a file between different file systems with the MOVE method.

    *) Bugfix: the ngx_http_dav_module used default access rights when
       copying a file with the COPY method.

    *) Workaround: some clients might not work when using HTTP/2; the bug
       had appeared in 1.13.5.

    *) Bugfix: nginx could not be built with LibreSSL 2.8.0.


Changes with nginx 1.15.2                                        24 Jul 2018

    *) Feature: the $ssl_preread_protocol variable in the
       ngx_stream_ssl_preread_module.

    *) Feature: now when using the "reset_timedout_connection" directive
       nginx will reset connections being closed with the 444 code.

    *) Change: a logging level of the "http request", "https proxy request",
       "unsupported protocol", and "version too low" SSL errors has been
       lowered from "crit" to "info".

    *) Bugfix: DNS requests were not resent if initial sending of a request
       failed.

    *) Bugfix: the "reuseport" parameter of the "listen" directive was
       ignored if the number of worker processes was specified after the
       "listen" directive.

    *) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
       switch off "ssl_prefer_server_ciphers" in a virtual server if it was
       switched on in the default server.

    *) Bugfix: SSL session reuse with upstream servers did not work with the
       TLS 1.3 protocol.


Changes with nginx 1.15.1                                        03 Jul 2018

    *) Feature: the "random" directive inside the "upstream" block.

    *) Feature: improved performance when using the "hash" and "ip_hash"
       directives with the "zone" directive.

    *) Feature: the "reuseport" parameter of the "listen" directive now uses
       SO_REUSEPORT_LB on FreeBSD 12.

    *) Bugfix: HTTP/2 server push did not work if SSL was terminated by a
       proxy server in front of nginx.

    *) Bugfix: the "tcp_nopush" directive was always used on backend
       connections.

    *) Bugfix: sending a disk-buffered request body to a gRPC backend might
       fail.


Changes with nginx 1.15.0                                        05 Jun 2018

    *) Change: the "ssl" directive is deprecated; the "ssl" parameter of the
       "listen" directive should be used instead.

    *) Change: now nginx detects missing SSL certificates during
       configuration testing when using the "ssl" parameter of the "listen"
       directive.

    *) Feature: now the stream module can handle multiple incoming UDP
       datagrams from a client within a single session.

    *) Bugfix: it was possible to specify an incorrect response code in the
       "proxy_cache_valid" directive.

    *) Bugfix: nginx could not be built by gcc 8.1.

    *) Bugfix: logging to syslog stopped on local IP address changes.

    *) Bugfix: nginx could not be built by clang with CUDA SDK installed;
       the bug had appeared in 1.13.8.

    *) Bugfix: "getsockopt(TCP_FASTOPEN) ... failed" messages might appear
       in logs during binary upgrade when using unix domain listen sockets
       on FreeBSD.

    *) Bugfix: nginx could not be built on Fedora 28 Linux.

    *) Bugfix: request processing rate might exceed configured rate when
       using the "limit_req" directive.

    *) Bugfix: in handling of client addresses when using unix domain listen
       sockets to work with datagrams on Linux.

    *) Bugfix: in memory allocation error handling.

4 files changed, 15 insertions, 16 deletions

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index c60f024755b..fbf4feb85aa 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.82 2019/03/27 06:45:13 adam Exp $
+# $NetBSD: Makefile,v 1.83 2019/05/06 09:38:48 adam Exp $
 
-DISTNAME=	nginx-1.14.2
-PKGREVISION=	1
+DISTNAME=	nginx-1.16.0
 
 MAINTAINER=	joerg@NetBSD.org
 
diff --git a/www/nginx/Makefile.common b/www/nginx/Makefile.common
index 4f1353f9c8d..6222fc115c8 100644
--- a/www/nginx/Makefile.common
+++ b/www/nginx/Makefile.common
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.14 2018/10/01 20:55:36 triaxx Exp $
+# $NetBSD: Makefile.common,v 1.15 2019/05/06 09:38:48 adam Exp $
 # used by www/nginx/Makefile
 # used by www/nginx-devel/Makefile
 
@@ -78,7 +78,7 @@ BUILD_TARGET=		build
 SUBST_CLASSES+=		prefix
 SUBST_STAGE.prefix=	pre-configure
 SUBST_FILES.prefix=	auto/lib/pcre/conf
-SUBST_SED.prefix=	-e 's,@PREFIX@,${PREFIX},g'
+SUBST_VARS.prefix=	PREFIX
 
 SUBST_CLASSES+=		paths
 SUBST_STAGE.paths=	pre-configure
diff --git a/www/nginx/distinfo b/www/nginx/distinfo
index 01e21545010..1f085a00f35 100644
--- a/www/nginx/distinfo
+++ b/www/nginx/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.68 2019/03/27 06:45:13 adam Exp $
+$NetBSD: distinfo,v 1.69 2019/05/06 09:38:48 adam Exp $
 
 SHA1 (array-var-nginx-module-0.05.tar.gz) = c69fac77814947009ab783a471783b3c95a63a26
 RMD160 (array-var-nginx-module-0.05.tar.gz) = 89bd4efc04864e3e90781588a337338951ec8733
@@ -20,18 +20,18 @@ SHA1 (headers-more-nginx-module-0.33.tar.gz) = 7d6af910dae98f0dbc67bf77e82eab8b7
 RMD160 (headers-more-nginx-module-0.33.tar.gz) = fb27195a722e81f533016e693b5a6616fd6b4f72
 SHA512 (headers-more-nginx-module-0.33.tar.gz) = 13165b1b8d4be281b8bd2404fa48d456013d560bace094c81da08a35dc6a4f025a809a3ae3a42be6bbf67abbcbe41e0730aba06f905220f3baeb01e1192a7d37
 Size (headers-more-nginx-module-0.33.tar.gz) = 28130 bytes
-SHA1 (lua-nginx-module-0.10.13.tar.gz) = 88f16ee8f1d168d1f6c1f2a1b48d31a5f4429114
-RMD160 (lua-nginx-module-0.10.13.tar.gz) = ec6278fb7936abfdead2df5e20a90092a1024098
-SHA512 (lua-nginx-module-0.10.13.tar.gz) = 8c316b9d12dc35779fcddc6bb90942c096f19fd8c2e090b8397e1e1ca6f0ebd7a4edddc03fddb31310147ba4e9db9fc4b3749cfd2323046d88045b3b3333f07d
-Size (lua-nginx-module-0.10.13.tar.gz) = 624102 bytes
+SHA1 (lua-nginx-module-0.10.15.tar.gz) = 82cef7d56601d2ae53a0912798af3546ca0a404c
+RMD160 (lua-nginx-module-0.10.15.tar.gz) = d755aa36c0604d37bf90a42da8221df26783545e
+SHA512 (lua-nginx-module-0.10.15.tar.gz) = 7555d3d256f169a4473f9be80e70e5bf53df5289167c9f70ecc943720bc783f92f54adcb69f15cd5fe2174436875f92f0b17d8198e3a86e27c4f0cf1e0536308
+Size (lua-nginx-module-0.10.15.tar.gz) = 655067 bytes
 SHA1 (naxsi-0.56.tar.gz) = 42ce137bd3e52a612793bcea43f3ffbb8376910a
 RMD160 (naxsi-0.56.tar.gz) = a5c97194ef3db415a4bab07c44f9e9f2860b9e1a
 SHA512 (naxsi-0.56.tar.gz) = 4660751849bce303af6010b7257532404710106a94817e78d4bc4b566f8019620f24f30207f1d4366b88132a5124e34b164dc67ed80b6710f4bad66115564cbd
 Size (naxsi-0.56.tar.gz) = 192120 bytes
-SHA1 (nginx-1.14.2.tar.gz) = 4b4df8786b44e79cffd2e002a070e27fd774a17f
-RMD160 (nginx-1.14.2.tar.gz) = 175e878b47902696c28ff9ac8ab551d9c211642e
-SHA512 (nginx-1.14.2.tar.gz) = d8362dbd86435657d6b13156bd6ad1b251d2ab10bc11cdda959b142dd6120b087e4b314f0025d9bbcc88529cb4b9407fb4df1cfae5d081b7ea1db51ccfc2dbe7
-Size (nginx-1.14.2.tar.gz) = 1015384 bytes
+SHA1 (nginx-1.16.0.tar.gz) = 5e2fe78453ecc983247223d73ad2129509ef2564
+RMD160 (nginx-1.16.0.tar.gz) = d2b74e3558f06c3f0aeaf9698e5819086138ef4b
+SHA512 (nginx-1.16.0.tar.gz) = e99cfaa4538f209c096ea2f93c04b5019756617f3bcd3305c273e98ddc89fed5bf90d65fb9b493149bc47d55ff79e73850bfcac20505fab74930d0102075df3d
+Size (nginx-1.16.0.tar.gz) = 1032345 bytes
 SHA1 (nginx-rtmp-module-1.2.1.tar.gz) = 7c6ae1afc117e3bf946b0d81f99d41fe538a7245
 RMD160 (nginx-rtmp-module-1.2.1.tar.gz) = 5fc0b4ac0b2c0a6d70957a5256754db8a9e934cf
 SHA512 (nginx-rtmp-module-1.2.1.tar.gz) = 4a0af5e9afa4deb0b53de8de7ddb2cfa6430d372e1ef9e421f01b509548bd134d427345442ac1ce667338cc2a1484dc2ab732e316e878ac7d3537dc527d5f922
diff --git a/www/nginx/options.mk b/www/nginx/options.mk
index c003b7057e7..f15f8042e09 100644
--- a/www/nginx/options.mk
+++ b/www/nginx/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.49 2019/03/27 06:45:13 adam Exp $
+# $NetBSD: options.mk,v 1.50 2019/05/06 09:38:48 adam Exp $
 
 PKG_OPTIONS_VAR=		PKG_OPTIONS.nginx
 PKG_SUPPORTED_OPTIONS=		dav flv gtools inet6 luajit mail-proxy memcache naxsi \
@@ -100,7 +100,7 @@ CONFIGURE_ENV+=		LUAJIT_INC=${PREFIX}/include/luajit-2.0
 CONFIGURE_ARGS+=	--add-module=../${LUA_DISTNAME}
 .endif
 .if !empty(PKG_OPTIONS:Mluajit) || make(makesum)
-LUA_VERSION=		0.10.13
+LUA_VERSION=		0.10.15
 LUA_DISTNAME=		lua-nginx-module-${LUA_VERSION}
 LUA_DISTFILE=		${LUA_DISTNAME}.tar.gz
 SITES.${LUA_DISTFILE}=	-https://github.com/openresty/lua-nginx-module/archive/v${LUA_VERSION}.tar.gz