Alexander Gerasimov – CodeIT Technical blog

NGINX 1.28.0 Stable with Brotli, TLS 1.3, OpenSSL 3.0.16, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

nginx 1.28.0 Stable with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.16.

Incorporating new features and bug fixes from the 1.27.x mainline branch — including memory usage and CPU usage optimizations in complex SSL configurations, automatic re‑resolution of hostnames in upstream groups, performance enhancements in QUIC, OCSP validation of client SSL certificates and OCSP stapling support in the stream module, variables support in the proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and uwsgi_limit_rate directives, the proxy_pass_trailers directive, and more.

NGINX 1.27.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.16, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

nginx 1.27.5 Mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.16.

Featuring CUBIC congestion control in QUIC connections and bugfixes in ssl_curves and ssl password files; Performance improvements and bugfixes in HTTP/3

ngtcp2 1.12.0, nghttp3 1.9.0 rpms released

ngtcp2 1.12.0, nghttp3 1.9.0 rpms released and added to all supported platforms

mod_http2 v2.0.31 rpms released

mod_http2 v2.0.31 rpms released and added to all supported platforms.

Changes:

mod_proxy_http2: revert r1912193 for detecting broken backend connection as this interferes with backend selection who a node is unresponsive. PR69624.
Fix issue with handling 304 responses from mod_cache. PR69580.

httpd mod_http2 v2.0.30 rpms released

mod_http2 v2.0.30 rpms released and added to all supported platforms.

Changes:

Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
Added new directive H2MaxHeaderBlockLen to set the limit on response
header sizes.
Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.

nghttp2 1.65.0 rpms released

nghttp2 1.65.0 rpms released and added to all supported platforms

ngtcp2 1.11.0, nghttp3 1.8.0 rpms released

ngtcp2 1.11.0, nghttp3 1.8.0 rpms released and added to all supported platforms

openssl+quic (quictls) 3.0.16 rpms released

openssl+quic (quictls) 3.0.16 rpms released and added to all supported platforms.

OpenSSL 3.0.16 is a security patch release.

This release incorporates the following bug fixes and mitigations:

Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

NGINX 1.27.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.15, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

nginx 1.27.4 Mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.15.

Featuring optimized resource usage for complex SSL configurations, and with a fix for the SSL session reuse vulnerability (CVE-2025-23419).

NGINX 1.26.3 Stable with Brotli, TLS 1.3, OpenSSL 3.0.15, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS 7/8/9, Rocky, Oracle, Alma Linux EL7/EL8/EL9

nginx 1.26.3 Stable with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.15.

Fixed CVE-2025-23419.