OpenResty 1.15.8.2 is a patch release addressing security vulnerabilities in the HTTP/2 protocol which may cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

All previous NGINX cores supporting HTTP/2 are affected by this issue (1.9.5 to 1.16.1). If you are serving HTTP/2 traffic with any previous OpenResty release, upgrade to 1.15.8.2 or disable HTTP/2.

Starting from this verison, we provide more official binary Yum/Apt repositories for Red Hat Enterprise Linux (RHEL) 8 x86_64, OpenSUSE Leap 15.1 x86_64, Debian 10 amd64, Fedora 30 x86_64, Amazon Linux 2 x86_64, and CentOS 7 aarch64 (arm64):

https://openresty.org/en/linux-packages.html

We will keep adding more official binary package repositories for more Linux distributions in the future. However, we have discontinued the maintainence of the official Apt repositories for i386 Ubuntu systems due to the lack of interest from the community.

We also upgrade the PCRE and OpenSSL in our official Win32 and Win64 binary packages to their latest versions, 8.43 and 1.1.0k, respectively.

Download this version here:

https://openresty.org/en/download.html

The (portable) source code distribution, the Win32/Win64 binary distributions, and the pre-built binary Linux packages for Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on this Download page.

This is the second OpenResty release based on the nginx 1.15.8 core.

Acknowledgments

We wish to thank the Netflix and Google security teams for their efforts in discovering these vulnerabilities, as well as the NGINX team for promptly patching them.

Thanks Thibault Charbonnier for helping this release.

Version highlights

• bugfix: applied the nginx core patch for new HTTP/2 security advisories (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).

Full Changelog

Complete change logs since the last (formal) release, 1.15.8.1, can be browsed in the page Change Log for 1.15.8.x.

Testing

We have run extensive testing on our Amazon EC2 test cluster and ensured that all the components (including the Nginx core) play well together. The latest test report can always be found here:

https://qa.openresty.org/

We also always run our OpenResty Edge commercial software based on the latest open source version of OpenResty in our own global CDN network (dubbed "mini CDN") powering our openresty.org and openresty.com websites. See https://openresty.com/ for more details.

Feedback

Feedback on this release is more than welcome. Feel free to create new GitHub issues or send emails to one of our mailing lists.

The Next Release

The next release will be based on the nginx 1.17.x core and is already near the corner. We have been working hard on this next release for several months now. Stay tuned!