nginx 1.29.7 Mainline with HTTP/3 support featuring support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.
nginx-1.29.7 mainline version has been released, introducing two significant updates: support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled. This release also includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).
*) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654).
Thanks to Calif.io in collaboration with Claude and Anthropic Research.
*) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784).Thanks to Prabhav Srinath (sprabhav7).
*) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, or might have potential other impact (CVE-2026-32647). Thanks to Xint Code and Pavel Kohout (Aisle Research).
*) Security: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651). Thanks to Arkadi Vainbrand.
*) Security: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753). Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University).
*) Security: SSL handshake might succeed despite OCSP rejecting a client certificate in the stream module (CVE-2026-28755). Thanks to Mufeed VH of Winfunc Research.
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the "upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the default value for "proxy_http_version" is "1.1"; the "Connection" proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream if buffered body was used in the ngx_http_grpc_module.