NGINX 1.30.4 Stable with Brotli, TLS 1.3, OpenSSL 4.0.1, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.30.4 Stable with HTTP/3 support added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.1 with QUIC support.

Major changes:

    *) Security: heap buffer overflow might occur in a worker process when using the map directive with regex matching if the map variable was included in a string expression after a capture affected by this map; 
       a similar issue might happen when using a non-cacheable variable in a string expression (CVE-2026-42533).
       Thanks to Mufeed VH of Winfunc Research and Maxim Dounin.

    *) Security: uninitialized memory access might occur when using unnamed regex captures with the "slice" directive or background cache update, which could result in worker process memory disclosure or worker process termination (CVE-2026-60005).

    *) Security: use-after-free might occur when processing a specially crafted proxied backend response with the ngx_http_ssi_filter_module (CVE-2026-56434).
       Thanks to P4P3R-HAK.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *