Автор: Alexander Gerasimov

Apache httpd 2.4.66 with brotli support, TLS 1.3, OpenSSL 3.5.4 with http2, mod_http2 2.0.35 and ALPN for Red Hat Enterprise Linux, CentOS 7, Alma Linux, Rocky Linux 8/9/10 fixing CVE-2025-66200, CVE-2025-65082, CVE-2025-59775, CVE-2025-58098, CVE-2025-55753

Apache httpd 2.4.66 added to the repository.

Changes: 

  *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
     bypass via AllowOverride FileInfo (cve.mitre.org)
     mod_userdir+suexec bypass via AllowOverride FileInfo
     vulnerability in Apache HTTP Server. Users with access to use
     the RequestHeader directive in htaccess can cause some CGI
     scripts to run under an unexpected userid.
     This issue affects Apache HTTP Server: from 2.4.7 through
     2.4.65.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Mattias Г…sander (UmeГҐ University)

  *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
     variable override (cve.mitre.org)
     Improper Neutralization of Escape, Meta, or Control Sequences
     vulnerability in Apache HTTP Server through environment
     variables set via the Apache configuration unexpectedly
     superseding variables calculated by the server for CGI programs.
     This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
     Users are recommended to upgrade to version 2.4.66 which fixes
     the issue.
     Credits: Mattias Г…sander (UmeГҐ University)

  *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
     Windows through UNC SSRF (cve.mitre.org)
     Server-Side Request Forgery (SSRF) vulnerability
     В in Apache HTTP Server on Windows
     with AllowEncodedSlashes OnВ and MergeSlashes OffВ  allows to
     potentially leak NTLM
     hashes to a malicious server via SSRF and malicious requests or
     content
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
     Includes adds query string to #exec cmd=... (cve.mitre.org)
     Apache HTTP Server 2.4.65 and earlier with Server Side Includes
     (SSI) enabled and mod_cgid (but not mod_cgi) passes the
     shell-escaped query string to #exec cmd="..." directives.
     This issue affects Apache HTTP Server before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Anthony Parfenov (United Rentals, Inc.)

  *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
     unintended retry intervals (cve.mitre.org)
     An integer overflow in the case of failed ACME certificate
     renewal leads, after a number of failures (~30 days in default
     configurations), to the backoff timer becoming 0. Attempts to
     renew the certificate then are repeated without delays until it
     succeeds.
     This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Aisle Research

  *) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
     [Stefan Eissing]

  *) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
     integers, used in push diaries and proxy window size calculations.
     PR69741 [Benjamin P. Kallus]

  *) mod_md: update to version 2.6.5
     - New directive `MDInitialDelay`, controlling how longer to wait after
       a server restart before checking certificates for renewal.
       [Michael Kaufmann]
     - Hardening: when build with OpenSSL older than 1.0.2 or old libressl
       versions, the parsing of ASN.1 time strings did not do a length check.
     - Hardening: when reading back OCSP responses stored in the local JSON
       store, missing 'valid' key led to uninitialized values, resulting in
       wrong refresh behaviour.

  *) mod_md: update to version 2.6.6
     - Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
     - Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]

  *) mod_http2: update to version 2.0.35
     New directive `H2MaxStreamErrors` to control how much bad behaviour
     by clients is tolerated before the connection is closed.
     [Stefan Eissing]

  * mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771

  *) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
     the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
     [Ruediger Pluem]

  *) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
     host compatibility policy.  PR 69743.  [Joe Orton]

  *) mod_md: update to version 2.6.2
     - Fix error retry delay calculation to not already doubling the wait
       on the first error.

  *) mod_md: update to version 2.6.1
     - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
       traffic on errored renewals for the ACME CA. This leads to error retries
        of 30s, 1 minute, 2, 4, etc. up to daily attempts.
     - Checking that configuring `MDRetryDelay` will result in a positive
       duration. A delay of 0 is not accepted.
     - Fix a bug in checking Content-Type of responses from the ACME server.
     - Added ACME ARI support (rfc9773) to the module. Enabled by default. New
       directive "MDRenewViaARI on|off" for controlling this.
     - Removing tailscale support. It has not been working for a long time
       as the company decided to change their APIs. Away with the dead code,
       documentation and tests.
     - Fixed a compilation issue with pre-industrial versions of libcurl.

ngtcp2 1.18.0, nghttp3 1.13.1 rpms released

ngtcp2 1.18.0, nghttp3 1.13.1 rpms released and added to all supported platforms.

All the libraries stack built with OpenSSL 3.5.4, including ngtcp2 (quic client name changed from qtlsclient to osslclient).

Delivery of nghttp3 1.13.0 was cancelled because the release was broken for ARM due to bug #414 (reported and fixed).

NGINX 1.29.3 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.3 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

SSL: support for compressed server certificates with BoringSSL. by @pluknet in #823
HTTP CONNECT infrastructure by @arut in #935
Upstream: reset local address in case of error. by @arut in #942
SSL: $ssl_sigalg, $ssl_client_sigalg. by @pluknet in #932, initial work by @willmafh in #554
Geo: the «volatile» parameter. by @dplotnikov-f5 in #943
Inheritance control for add_header and add_trailer. by @arut in #918
OCSP: fixed invalid type for the ‘ssl_ocsp’ directive. by @roman-f5 in #938
Fixed compilation warnings on Windows after c93a0c4. by @arut in #954
Modules compatibility: increased compat section size. by @arut in #952
nginx-1.29.3 changes by @arut in #953

openssl 3.5.4 rpms released

openssl 3.5.4 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

CVE-2025-9230 — Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
CVE-2025-9231 — Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
CVE-2025-9232 — Fix Out-of-bounds read in HTTP client no_proxy handling.

OpenSSL 3.5 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

NGINX 1.29.2 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.1, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.2 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.1 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

Added a previously missed changes entry in 1.29.1 relnotes. by @pluknet in #844
Removed legacy charset directive from default config example. by @MohamedKarrab in #829
QUIC: fixed ssl_reject_handshake error handling. by @pluknet in #889
Updated link to xslscript. by @pluknet in #854
Fixed inaccurate index directive error report by @willmafh in #881
SNI: using ClientHello callback. by @pluknet in #562
AWS-LC support changes by @pluknet in #848
Upstream: overflow detection in Cache-Control delta-seconds. by @pluknet in #898
Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. by @pluknet in #893
SSL: fixed «key values mismatch» with object cache inheritance. by @pluknet in #740
nginx-1.29.2 changes by @pluknet in #919

ngtcp2 1.16.0, nghttp3 1.12.0 rpms released

ngtcp2 1.16.0, nghttp3 1.12.0 rpms released and added to all supported platforms.

All the libraries stack built with OpenSSL 3.5.1, including ngtcp2 (quic client name changed from qtlsclient to osslclient).

Delivery of ngtcp2 for EL9 delayed because of build errors, other platforms received packages on 24.09.2025.