OpenResty 188.8.131.52 is a patch release addressing security
vulnerabilities in the HTTP/2 protocol which may cause excessive
memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
All previous NGINX cores supporting HTTP/2 are affected by this
issue (1.9.5 to 1.16.1). If you are serving HTTP/2 traffic with
*any* previous OpenResty release, upgrade to 184.108.40.206 or disable
Starting from this verison, we provide more official binary Yum/Apt
repositories for Red Hat Enterprise Linux (RHEL) 8 x86_64, OpenSUSE
Leap 15.1 x86_64, Debian 10 amd64, Fedora 30 x86_64, Amazon Linux 2
x86_64, and CentOS 7 aarch64 (arm64):
We will keep adding more official binary package repositories for
more Linux distributions in the future. However, we have
discontinued the maintainence of the official Apt repositories for
i386 Ubuntu systems due to the lack of interest from the community.
We also upgrade the PCRE and OpenSSL in our official Win32 and Win64
binary packages to their latest versions, 8.43 and 1.1.0k,
The (portable) source code distribution, the Win32/Win64 binary
distributions, and the pre-built binary Linux packages for Ubuntu,
Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on
this Download page.
This is the second OpenResty release based on the nginx 1.15.8 core.
We wish to thank the Netflix and Google security teams for their
efforts in discovering these vulnerabilities, as well as the NGINX
team for promptly patching them.
Thanks Thibault Charbonnier for helping this release.
* bugfix: applied the nginx core patch for new HTTP/2 security
advisories (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).
Complete change logs since the last (formal) release, 220.127.116.11, can
be browsed in the page Change Log for 1.15.8.x:
We also always run our OpenResty Edge commercial software based on
the latest open source version of OpenResty in our own global CDN
network (dubbed "mini CDN") powering our openresty.org and
openresty.com websites. See https://openresty.com/ for more details.