Alexander Gerasimov – CodeIT Technical blog

openssl 3.5.5 rpms released

openssl 3.5.5 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)

Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)

Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)

Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB (CVE-2025-15469)

Fixed TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)

Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)

Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
function calls (CVE-2025-69418)

Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)

Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
function (CVE-2025-69420)

Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function (CVE-2025-69421)

Fixed Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)

Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
function (CVE-2026-22796)

OpenSSL 3.5 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

mod_http2 v2.0.38 rpms released

mod_http2 v2.0.38 rpms released and added to all supported platforms.

Changes:

Source sync with httpd trunk version. No functional change.

NGINX 1.29.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.5 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

*) Security: an attacker might inject plain text data in the                              response from an SSL backend (CVE-2026-1642).

*) Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend.

*) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream.

*) Bugfix: a response with multiple ranges might be larger than the
       source response.

*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and    uwsgi backends.

*) Bugfix: fixed warning when compiling with MSVC 2022 x86.

*) Change: the logging level of the "ech_required" SSL error has been        lowered from "crit" to "info".

NGINX 1.28.2 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.28.2 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

    *) Security: an attacker might inject plain text data in the response
       from an SSL backend (CVE-2026-1642).

    *) Bugfix: use-after-free might occur after switching to the next gRPC
       or HTTP/2 backend.

    *) Bugfix: fixed warning when compiling with MSVC 2022 x86.

ngtcp2 1.20.0, nghttp3 1.15.0 rpms released

ngtcp2 1.20.0, nghttp3 1.15.0 rpms released and added to all supported platforms.

All the libraries stack built with OpenSSL 3.5.4, including ngtcp2 (quic client name changed from qtlsclient to osslclient).

SSHOQ (ex-SSH3) 0.1.10 test package added

Fast and secure SSHOQ (shell over QUIC or HTTP/3) 0.1.10 test packages (ssh3 client and ssh3-server) added to EL8/EL9/EL10 repo for aarch64 and x86_64.

Please note that name change occured.

Project page: https://github.com/h4sh5/sshoq

x86_64:

https://repo.codeit.guru/packages/testing/8/x86_64/sshoq-0.1.10-1.codeit.el8.x86_64.rpm

https://repo.codeit.guru/packages/testing/8/x86_64/sshoq-server-0.1.10-1.codeit.el8.x86_64.rpm

aarch64:

https://repo.codeit.guru/packages/testing/8/x86_64/sshoq-0.1.10-1.codeit.el8.aarch64.rpm

https://repo.codeit.guru/packages/testing/8/x86_64/sshoq-server-0.1.10-1.codeit.el8.aarch64.rpm

NGINX 1.28.1 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.28.1 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

*) Security: processing of a specially crafted login/password when using
   the "none" authentication method in the ngx_mail_smtp_module might
   cause worker process memory disclosure to the authentication server
   (CVE-2025-53859).

*) Bugfix: a segmentation fault might occur in a worker process if the
   "try_files" directive and "proxy_pass" with a URI were used.

*) Bugfix: in handling "Host" and ":authority" header lines with equal
   values when using HTTP/2; the bug had appeared in 1.17.9.

*) Bugfix: in handling "Host" header lines with a port when using
   HTTP/3.

*) Bugfix: an XCLIENT command didn't use the xtext encoding.
   Thanks to Igor Morgenstern of Aisle Research.

*) Bugfix: in SSL certificate caching during reconfiguration.

*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
   response header line.

*) Change: the native nginx/Windows binary release is now built using
   Windows SDK 10.

*) Bugfix: nginx could not be built on NetBSD 10.0.

*) Bugfix: in HTTP/3.

ngtcp2 1.19.0, nghttp3 1.14.0 rpms released

ngtcp2 1.19.0, nghttp3 1.14.0 rpms released and added to all supported platforms.

All the libraries stack built with OpenSSL 3.5.4, including ngtcp2 (quic client name changed from qtlsclient to osslclient).

mod_http2 v2.0.37 rpms released

mod_http2 v2.0.37 rpms released and added to all supported platforms.

Changes:

Prevent double purge of a stream, resulting in a double free.

Restore use of streams own memory allocator.

NGINX 1.29.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.4 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Configure: ensure we get the “built by …” line in nginx -V. by @ac000 in #905
Adding support for pcre 10.47 by @thierryba in #963
SSL: changed interface of ngx_ssl_set_client_hello_callback(). by @pluknet in #968
SSL: fixed build with BoringSSL, broken by 38a701d. by @pluknet in #972
HTTP/2: extended guard for NULL buffer and zero length. by @pluknet in #978
Validate host by @pluknet in #966
Proxy: fixed segfault in URI change (issue #983). by @pluknet in #1004
OpenSSL ECH integration by @sftcd in #840
Update community health files by @alessfg in #727
SSL: avoid warning when ECH is not configured and not supported. by @QirunGao in #1011
Disabled bare LF in chunked transfer encoding. by @pluknet in #1016
HTTP/2 to upstream by @hongzhidao in #771
Quic: fixed segfault on handshake failure by @jeniksv in #1022