Binary Evidence-Driven Vulnerability Scanning: Eliminating False Positives with OpenResty XRay
limited time offer
Request
TRIAL
today and receive a diagnostic
REPORT
New! OpenResty 1.29.2.3 is now released!
New! OpenResty 1.27.1.2 is now released!
New! New blog post Binary Evidence-Driven Vulnerability Scanning: Eliminating False Positives with OpenResty XRay is published.
New! New blog post How OpenResty XRay Enables Full-Stack Dynamic Tracing in Production is published.
ChangeLog for 1.27.1.x
lijunlong , 31 Mar 2025 (created 14 Aug 2024)Version 1.27.1.2 - 14 Mar 2025
- upgraded lua-nginx-module to v0.10.28
- feature: add ngx.resp.set_status(status, reason). Thanks lijunlong for the patch.
- feature: implemented ngx_http_lua_ffi_decode_base64mime. Thanks WenMing for the patch.
- bugfix:
setkeepalivefailure on TLSv1.3 Thanks Zhefeng C. for the patch. - bugfix: remove http2 hardcode limitation in
ngx.locationsubrequest API. Thanks Jun Ouyang for the patch. - bugfix: removed null terminator. Thanks n-bes for the patch.
- doc: clarify base64 for url encoding and padding. Thanks Thijs Schreijer for the patch.
- doc: Redraw directives png (#2353) Thanks xiaobiaozhao for the patch.
- doc: clarify the backlog option (#2367) Thanks Thijs Schreijer for the patch.
- doc: improve grammar. Thanks Josh Soref for the patch.
- doc: more accurate error message. Thanks willmafh for the patch.
- optimize: removed unreachable code in ngx_http_lua_send_http10_headers(). Thanks lijunlong for the patch.
- optimize: remove duplicate check in ngx.send_headers Thanks spacewander for the patch.
- tests: add support for openssl3.0. Thanks lijunlong for the patch.
- upgraded stream-lua-nginx-module to v0.0.16
- feature: enable ngx.var at the ssl_certificate_by_lua and ssl_client_hello_by_lua. Thanks lijunlong for the patch.
- bugfix:
setkeepalivefailure on TLSv1.3 Thanks Zhefeng C. for the patch.
- upgraded lua-resty-core to v0.1.31
- feature: implemented decode_base64mime. Thanks WenMing for the patch.
- feature: add ngx.resp.set_status(status, reason). Thanks lijunlong for the patch.
- feature: update nginx to v1.27.1. Thanks lijunlong for the patch.
- upgraded luajit2 to v2.1-20250117
- Fix recording of BC_VARG. Thanks Mike Pall for the patch.
- Reject negative getfenv()/setfenv() levels to prevent compiler warning. Thanks Mike Pall for the patch.
- Bump copyright date. Thanks Mike Pall for the patch.
- Force fallback source name for stripped bytecode. Thanks Mike Pall for the patch.
- Remove dependency on <limits.h>. Thanks Mike Pall for the patch.
- Restore state when recording __concat metamethod throws OOM. Thanks Mike Pall for the patch.
- MIPS64: Fix pcall() error case. Thanks Mike Pall for the patch.
- Fix detection of inconsistent renames due to sunk values. Thanks Mike Pall for the patch.
- Windows: Allow amalgamated static builds with msvcbuild.bat. Thanks Mike Pall for the patch.
- Always close profiler output file. Thanks Mike Pall for the patch.
- Fix override of INSTALL_LJLIBD in the presence of DESTDIR. Thanks Mike Pall for the patch.
- Fix bit op coercion for shifts in DUALNUM builds. Thanks Mike Pall for the patch.
- macOS: Remove obsolete -single_module flag. Thanks Mike Pall for the patch.
- macOS: Workaround for buggy XCode 15.0 - 15.2 linker. Thanks Mike Pall for the patch.
- macOS: Fix macOS 15 / Clang 16 build. Thanks Mike Pall for the patch.
- Fix bit op coercion in DUALNUM builds. Thanks Mike Pall for the patch.
- Fix compiliation of getmetatable() for UDTYPE_IO_FILE. Thanks Mike Pall for the patch.
- Remove ancient RtlUnwindEx workaround for MinGW64. Thanks Mike Pall for the patch.
- Drop unused function wrapper. Thanks Mike Pall for the patch.
- Fix limit check in narrow_conv_backprop(). Thanks Mike Pall for the patch.
- Always use IRT_NIL for IR_TBAR. Thanks Mike Pall for the patch.
- ARM64: Use ldr literal to load FP constants. Thanks Mike Pall for the patch.
- FFI: Add missing coercion when recording 64-bit bit.*(). Thanks Mike Pall for the patch.
- ARM64: Make tobit conversions match JIT backend behavior. Thanks Mike Pall for the patch.
- ARM: Make hard-float tobit conversions match JIT backend behavior. Thanks Mike Pall for the patch.
- FFI: Drop finalizer table rehash after GC cycle. Thanks Mike Pall for the patch.
- Fix another potential file descriptor leak in luaL_loadfile*(). Thanks Mike Pall for the patch.
- MIPS32: Fix little-endian IR_RETF. Thanks Mike Pall for the patch.
- Correctly close VM state after early OOM during open. Thanks Mike Pall for the patch.
- Fix potential file descriptor leak in luaL_loadfile*(). Thanks Mike Pall for the patch.
Version 1.27.1.1 - 16 Oct 2024
- upgraded the nginx core to 1.27.1
- see the changes here: http://nginx.org/en/CHANGES
- upgraded lua-nginx-module to 0.10.27
- bugfix: fixed keepalive error in cosocket. Thanks lijunlong for the patch.
- bugfix: ensure compatibility with older nginx versions lacking TLS 1.3 support. Thanks lijunlong for the patch.
- bugfix: initialize ASN1_GENERALIZEDTIME pointers in ssl_validate_ocsp_response. Thanks lijunlong for the patch.
- bugfix: nginx crashed when binding local address failed from lua. Thanks lijunlong for the patch.
- bugfix: treat shared dict entries with TTL of 0 as expired. Thanks lijunlong for the patch.
- bugfix: let
balancer.recreate_requestAPI work for body data changed case. Thanks Jun Ouyang for the patch. - feature: add support for SSL trusted certificates in client verification. Thanks xiangwei for the patch.
- bugfix: respect max retry after using balancer pool. Thanks kurt for the patch.
- feature: support ngx.location.capture and ngx.location.capture_multi with
headersoption. Thanks Tinglong Yang for the patch. - bugfix: undefined symbol
SSL_client_hello_get0_extwhen linking against libressl. Thanks lijunlong for the patch. - bugfix: fixed compilation errors when building without SSL. Thanks Johnny Wang for the patch.
- change: should match the local address when get connection from the keepalive pool. Thanks lijunlong for the patch.
- feature: implemented keepalive pooling in
balancer_by_lua*. Thanks lijunlong for the patch. - bugfix: prevent main thread access to freed fake request in init_worker. Thanks fesily for the patch.
- bugfix: preserve lua-nginx-module context when
ngx.send_header()triggers filter_finalize. Thanks Jun Ouyang for the patch. - bugfix: fix config test for signalfd with gcc 11. Thanks Jiří Setnička for the patch.
- bugfix: worker thread Lua VM may take lots of memory. Thanks lijunlong for the patch.
- bugfix: ensure proper connection closure when setting empty body before last chunk. Thanks Liu Wei for the patch.
- bugfix: wrong arguments of
setkeepalive()result in the compromise of data integrity. Thanks lijunlong for the patch. - bugfix: Fixing compatibility issues with BoringSSL. Thanks lijunlong for the patch.
- feature: validate and expose nextUpdate field in OCSP response. Thanks Elvin Efendi for the patch.
- feature: add support for deriving key from tls master secret. Thanks bas-vk for the patch.
- feature: add UDP cosocket bind api. Thanks syz for the patch.
- bugfix: fixed HTTP HEAD request smuggling issue. Thanks lijunlong for the patch.
- optimize: allow to reenable the tls for the upstream. Thanks lijunlong for the patch.
- feature: add FFI function for
balancer.disable_ssl(). Thanks lijunlong for the patch. - bugfix: correct offset vector memory allocation size for PCRE2. Thanks Zhongwei Yao for the patch.
- feature: implemented
ngx_http_lua_ffi_ssl_client_random. Thanks Ruidong-X for the patch. - bugfix: fix memory corruption in consecutive regex calls. Thanks Zhongwei Yao for the patch.
- feature: add
ngx_http_lua_ffi_parse_der_certandngx_http_lua_ffi_parse_der_keyfunctions. Thanks Brian Rak for the patch.
- upgraded stream-lua-nginx-module to 0.0.15
- bugfix: fixed keepalive error in cosocket. Thanks lijunlong for the patch.
- bugfix: treat shared dict entries with TTL of 0 as expired. Thanks lijunlong for the patch.
- feature: add support for SSL trusted certificates in client verification. Thanks xiangwei for the patch.
- feature: support lua balancer set proxy bind dynamic Thanks ytlm for the patch.
- bugfix: check for SSL context instead of listen flag for nginx 1.25.5+ compatibility. Thanks Konstantin Pavlov for the patch.
- bugfix: wrong arguments of setkeepalive() result in the compromise of data integrity. Thanks lijunlong for the patch.
- bugfix: correct offset vector memory allocation size for PCRE2. Thanks Zhongwei Yao for the patch.
- feature: implemented
ngx_stream_lua_ffi_ssl_client_random. Thanks Ruidong-X for the patch. - bugfix: wrong argument for
pcre2_match. Thanks lijunlong for the patch. - feature: add functions to parse DER formatted certificates/keys. Thanks Brian Rak for the patch.
- changes: remove the useless pcre config. Thanks swananan for the patch.
- upgraded lua-resty-core to 0.1.29
- feature: add ssl_trusted_certificate argument for
ssl.verify_client(). Thanks xiangwei for the patch. - feature: add
balancer.bind_to_local_addrfor stream module. Thanks ytlm for the patch. - feature: makes outgoing connections to a proxied server originate from the specified local IP address with an optional port. Thanks lijunlong for the patch.
- feature: implemented keepalive pooling in
balancer_by_lua*. Thanks lijunlong for the patch. - bugfix: initialize next_update pointer to avoid potential stale values. Thanks YanLIU for the patch.
- optimize: localize tonumber for
ngx.worker.pids. Thanks Chrono for the patch. - feature:
validate_ocsp_responseshould return nextUpdate if available. Thanks Elvin Efendi for the patch. - feature: add
ssl.get_req_ssl_pointer. Thanks James Callahan for the patch. - feature: add support for exporting key material to derive keys from the tls master secret. Thanks bas-vk for the patch.
- feature: add
balancer.set_upstream_tls(on). Thanks lijunlong for the patch. - feature: add
ssl.get_client_random. Thanks Ruidong-X for the patch. - optimize: explicit requirement to use bash. Thanks lynch for the patch.
- feature: add
parse_der_certandparse_der_priv_keyfunctions. Thanks Brian Rak for the patch.
- feature: add ssl_trusted_certificate argument for
- upgraded lua-resty-websocket to 0.12
- feature: add
send_continuemethod. Thanks Toru for the patch. - feature:
client:connect()returns HTTP response header. Thanks Michael Martin for the patch. - feature: custom sec-websocket-key in client. Thanks Michael Martin for the patch.
- feature: add support for discrete send/recv payload limits in WebSocket client. Thanks Michael Martin for the patch.
- feature: support custom host header in client. Thanks flrgh for the patch.
- feature: support connecting to unix sockets. Thanks Petter Berven for the patch.
- optimization: check ssl_support early. Thanks Michael Martin for the patch.
- feature: add
- upgraded lua-resty-redis to v0.31
- optimize: cache the table for sending requests. Thanks lijunlong for the patch.
- upgraded lua-resty-string to 0.16
- feature: add AAD support in aes gcm. Thanks wzxjohn for the patch.
- change: make
random.bytescryptographically strong by default. Thanks rfl890 for the patch.
- upgraded lua-cjson to 2.1.0.14
- feature: Lua 5.3 + 5.4 integer support, with CI and conflicts fixed. Thanks Hisham Muhammad for the patch.
- bugfix: bus error or SIGSEGV caused by encode not keep buffer. Thanks hyw0810 for the patch.
- upgraded lua-resty-signal to 0.04
- bugfix: handle '?.so' in package.cpath. Thanks Michael Martin for the patch.
- upgraded lua-resty-lrucache to v0.14
- optimize: echo warning message when install this library to "/usr/local/lib/lua/" and copy installation guide from lua_resty_core module. Thanks lynch for the patch.
- upgraded rds-json-nginx-module to 0.17
- bugfix: failed to compilation on rockylinux 9. Thanks lijunlong for the patch.
- upgraded luajit2 to 2.1-20240815
- Reflect override of INSTALL_LJLIBD in package.path.
- ARM64: Use movi to materialize FP constants.
- Add more FOLD rules for integer conversions.
- Different fix for partial snapshot restore due to stack overflow. Reported by Junlong Li. Fixed by Peter Cawley.
- change: disable hash computation optimization in the OpenResty branch (agentzh-v2.1) due to the possibility of severe performance degradation (CVE-2024-39702). This issue is specific to our branch and does not affect upstream LuaJIT. Thanks to Zhongwei Yao from Kong Inc. for reporting this issue. Thanks lijunlong for the patch.
- bugfix: Enabled ppc64le arch on travis and fixed one failing test case. Thanks Alhad Deshpande for the patch.
- Prevent sanitizer warning in snap_restoredata().
- Limit number of string format elements to compile.
- FFI: Clarify scalar boxing behavior.
- OSX/iOS: Fix SDK incompatibility.
- Windows/MSVC: Cleanup msvcbuild.bat and always generate PDB.
- Fix segment release check in internal memory allocator.
- FFI: Turn FFI finalizer table into a proper GC root.
- OSX/iOS: Always generate 64 bit non-FAT Mach-O object files.
- Show name of NYI bytecode in -jv and -jdump.
- Use generic trace error for OOM during trace stitching.
- feature: add s390x disassembler. Thanks Aditya Bisht for the patch.
- Handle all types of errors during trace stitching.
- Fix recording of __concat metamethod.
- Prevent down-recursion for side traces.
- Check frame size limit before returning to a lower frame.
- FFI: Treat cdata finalizer table as a GC root.
- Handle stack reallocation in debug.setmetatable() and lua_setmetatable().
- optimize: [ppc64le] Aligned code as per other archs for next_1 function and relevant code changes. Thanks Alhad Deshpande for the patch.
- Rework stack overflow handling.
- Preserve keys with dynamic values in template tables when saving bytecode.
- Prevent include of luajit_rolling.h.
- Fix zero stripping in %g number formatting.
- Fix unsinking of IR_FSTORE for NULL metatable.
- DynASM/x86: Add endbr instruction.
- MIPS64 R2/R6: Fix FP to integer conversions.
- Add cross-32/64 bit and deterministic bytecode generation.
- DynASM/x86: Allow [&expr] operand.
- Check for IR_HREF vs. IR_HREFK aliasing in non-nil store check.
- Respect jit.off() on pending trace exit.
- Simplify handling of instable types in TNEW/TDUP load forwarding.
- Only emit proper parent references in snapshot replay.
- Fix anchoring for string buffer set() method (again).
- ARM: Fix stack restore for FP slots.
- Document workaround for multilib vs. cross-compiler conflict.
- Fix anchoring for string buffer set() method.
- Fix runtime library flags for MSVC debug builds.
- Fix .debug_abbrev section in GDB JIT API.
- Optimize table.new() with constant args to (sinkable) IR_TNEW.
- Emit sunk IR_NEWREF only once per key on snapshot replay.
