Метка: http2

NGINX 1.29.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.5 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

*) Security: an attacker might inject plain text data in the                              response from an SSL backend (CVE-2026-1642).

*) Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend.

*) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream.

*) Bugfix: a response with multiple ranges might be larger than the
       source response.

*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and    uwsgi backends.

*) Bugfix: fixed warning when compiling with MSVC 2022 x86.

*) Change: the logging level of the "ech_required" SSL error has been        lowered from "crit" to "info".

NGINX 1.28.2 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.28.2 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

    *) Security: an attacker might inject plain text data in the response
       from an SSL backend (CVE-2026-1642).

    *) Bugfix: use-after-free might occur after switching to the next gRPC
       or HTTP/2 backend.

    *) Bugfix: fixed warning when compiling with MSVC 2022 x86.

NGINX 1.28.1 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.28.1 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

*) Security: processing of a specially crafted login/password when using
   the "none" authentication method in the ngx_mail_smtp_module might
   cause worker process memory disclosure to the authentication server
   (CVE-2025-53859).

*) Bugfix: a segmentation fault might occur in a worker process if the
   "try_files" directive and "proxy_pass" with a URI were used.

*) Bugfix: in handling "Host" and ":authority" header lines with equal
   values when using HTTP/2; the bug had appeared in 1.17.9.

*) Bugfix: in handling "Host" header lines with a port when using
   HTTP/3.

*) Bugfix: an XCLIENT command didn't use the xtext encoding.
   Thanks to Igor Morgenstern of Aisle Research.

*) Bugfix: in SSL certificate caching during reconfiguration.

*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
   response header line.

*) Change: the native nginx/Windows binary release is now built using
   Windows SDK 10.

*) Bugfix: nginx could not be built on NetBSD 10.0.

*) Bugfix: in HTTP/3.

NGINX 1.29.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.4 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

Configure: ensure we get the «built by …» line in nginx -V. by @ac000 in #905
Adding support for pcre 10.47 by @thierryba in #963
SSL: changed interface of ngx_ssl_set_client_hello_callback(). by @pluknet in #968
SSL: fixed build with BoringSSL, broken by 38a701d. by @pluknet in #972
HTTP/2: extended guard for NULL buffer and zero length. by @pluknet in #978
Validate host by @pluknet in #966
Proxy: fixed segfault in URI change (issue #983). by @pluknet in #1004
OpenSSL ECH integration by @sftcd in #840
Update community health files by @alessfg in #727
SSL: avoid warning when ECH is not configured and not supported. by @QirunGao in #1011
Disabled bare LF in chunked transfer encoding. by @pluknet in #1016
HTTP/2 to upstream by @hongzhidao in #771
Quic: fixed segfault on handshake failure by @jeniksv in #1022

mod_http2 v2.0.36 rpms released

mod_http2 v2.0.36 rpms released and added to all supported platforms.

Changes:

Revert change from v2.0.33 that gave streams their own memory
allocator after report of problems in PR 69899.

Hardening: use nghttp2 supplied length when checking trailers.