Hi folks,
I am happy to announce the new formal release, 1.25.3.2, of our OpenResty
web platform based on NGINX and LuaJIT.
OpenResty 1.25.3.2 is a security update addressing a performance issue in
our OpenResty branch of LuaJIT related to hash computation optimization.
This update disables a specific optimization in our LuaJIT fork that could
potentially lead to performance degradation under certain circumstances
(CVE-2024-39702).
It's important to note that this issue is specific to our OpenResty branch
of LuaJIT and does not affect the upstream mainline LuaJIT.
We would like to express our gratitude to Zhongwei Yao from Kong INC. for
reporting this issue.
The full announcement, download links, and change logs can be found below:
http://openresty.org/en/ann-1025003002.html
You can download the software packages here:
https://openresty.org/en/download.html
OpenResty is a high performance and dynamic web platform based on our
enhanced version of Nginx core, our enhanced version of LuaJIT, and many
powerful Nginx modules and Lua libraries. See OpenResty's homepage for
details:
https://openresty.org/en/
We strongly recommend all users to upgrade to this version to ensure
optimal performance and security.
OpenResty Inc. provides commercial support and private module development
for the open-source OpenResty. For more information, please visit
https://openresty.com.
Enjoy!
Best regards,
Jiahao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240722/1a55c447/attachment.htm>
Is there any ETA for new docker builds of openresty for this as well?
Sent from Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: nginx <nginx-bounces at nginx.org> on behalf of Jiahao Wang via nginx <nginx at nginx.org>
Sent: Monday, July 22, 2024 9:45:44 AM
To: nginx at nginx.org <nginx at nginx.org>
Cc: Jiahao Wang <wangjiahao at openresty.com>
Subject: [ANN] OpenResty 1.25.3.2 released
Hi folks,
I am happy to announce the new formal release, 1.25.3.2, of our OpenResty web platform based on NGINX and LuaJIT.
OpenResty 1.25.3.2 is a security update addressing a performance issue in our OpenResty branch of LuaJIT related to hash computation optimization. This update disables a specific optimization in our LuaJIT fork that could potentially lead to performance degradation under certain circumstances (CVE-2024-39702).
It's important to note that this issue is specific to our OpenResty branch of LuaJIT and does not affect the upstream mainline LuaJIT.
We would like to express our gratitude to Zhongwei Yao from Kong INC. for reporting this issue.
The full announcement, download links, and change logs can be found below:
http://openresty.org/en/ann-1025003002.html
You can download the software packages here:
https://openresty.org/en/download.html
OpenResty is a high performance and dynamic web platform based on our enhanced version of Nginx core, our enhanced version of LuaJIT, and many powerful Nginx modules and Lua libraries. See OpenResty's homepage for details:
https://openresty.org/en/
We strongly recommend all users to upgrade to this version to ensure optimal performance and security.
OpenResty Inc. provides commercial support and private module development for the open-source OpenResty. For more information, please visit https://openresty.com.
Enjoy!
Best regards,
Jiahao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240722/e2f3a507/attachment.htm>
Now that there is a patch out could you please share more information
on those "specific circumstances"?
It looks to me that luajit2 does not support SSE4.2 whereas agentzh's
fork does. And this is what has been disabled in this release. Is this
an interim release while the cause is investigated or is it fully
understood?
On Mon, 22 Jul 2024 at 17:46, Jiahao Wang via nginx <nginx at nginx.org> wrote:
>
> Hi folks,
>
> I am happy to announce the new formal release, 1.25.3.2, of our OpenResty web platform based on NGINX and LuaJIT.
>
> OpenResty 1.25.3.2 is a security update addressing a performance issue in our OpenResty branch of LuaJIT related to hash computation optimization. This update disables a specific optimization in our LuaJIT fork that could potentially lead to performance degradation under certain circumstances (CVE-2024-39702).
>
> It's important to note that this issue is specific to our OpenResty branch of LuaJIT and does not affect the upstream mainline LuaJIT.
>
> We would like to express our gratitude to Zhongwei Yao from Kong INC. for reporting this issue.
>
> The full announcement, download links, and change logs can be found below:
>
> http://openresty.org/en/ann-1025003002.html
>
> You can download the software packages here:
>
> https://openresty.org/en/download.html
>
> OpenResty is a high performance and dynamic web platform based on our enhanced version of Nginx core, our enhanced version of LuaJIT, and many powerful Nginx modules and Lua libraries. See OpenResty's homepage for details:
>
> https://openresty.org/en/
>
> We strongly recommend all users to upgrade to this version to ensure optimal performance and security.
>
> OpenResty Inc. provides commercial support and private module development for the open-source OpenResty. For more information, please visit https://openresty.com.
>
> Enjoy!
>
> Best regards,
> Jiahao
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
We have fully understood the cause of the problem. The reason for disabling
rather than reverting the entire commit is because we want to continue to
use SSE to speed things up in the future.
On Mon, Jul 22, 2024 at 4:10 PM Mathew Heard <me at mheard.com> wrote:
> Now that there is a patch out could you please share more information
> on those "specific circumstances"?
>
> It looks to me that luajit2 does not support SSE4.2 whereas agentzh's
> fork does. And this is what has been disabled in this release. Is this
> an interim release while the cause is investigated or is it fully
> understood?
>
> On Mon, 22 Jul 2024 at 17:46, Jiahao Wang via nginx <nginx at nginx.org>
> wrote:
> >
> > Hi folks,
> >
> > I am happy to announce the new formal release, 1.25.3.2, of our
> OpenResty web platform based on NGINX and LuaJIT.
> >
> > OpenResty 1.25.3.2 is a security update addressing a performance issue
> in our OpenResty branch of LuaJIT related to hash computation optimization.
> This update disables a specific optimization in our LuaJIT fork that could
> potentially lead to performance degradation under certain circumstances
> (CVE-2024-39702).
> >
> > It's important to note that this issue is specific to our OpenResty
> branch of LuaJIT and does not affect the upstream mainline LuaJIT.
> >
> > We would like to express our gratitude to Zhongwei Yao from Kong INC.
> for reporting this issue.
> >
> > The full announcement, download links, and change logs can be found
> below:
> >
> > http://openresty.org/en/ann-1025003002.html
> >
> > You can download the software packages here:
> >
> > https://openresty.org/en/download.html
> >
> > OpenResty is a high performance and dynamic web platform based on our
> enhanced version of Nginx core, our enhanced version of LuaJIT, and many
> powerful Nginx modules and Lua libraries. See OpenResty's homepage for
> details:
> >
> > https://openresty.org/en/
> >
> > We strongly recommend all users to upgrade to this version to ensure
> optimal performance and security.
> >
> > OpenResty Inc. provides commercial support and private module
> development for the open-source OpenResty. For more information, please
> visit https://openresty.com.
> >
> > Enjoy!
> >
> > Best regards,
> > Jiahao
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240722/92c140c2/attachment-0001.htm>