nghttp2 1.68.1 rpms released and added to all supported platforms.
Fixes CVE-2026-27135.
Метка: http2
NGINX 1.29.6 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.6, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10
nginx 1.29.6 Mainline with HTTP/3 support featuring sticky sessions support for upstreams added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.
Our OpenSSL 3.5.X builds break compatibility with nginx 1.28.1 and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.
*) Feature: session affinity support; the "sticky" directive in the "upstream" block of the "http" module; the "server" directive supports the "route" and "drain" parameters.
*) Change: now nginx limits the size and rate of QUIC stateless reset packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause the connection to terminate.
*) Bugfix: "[crit] cache file ... contains invalid header" messages might appear in logs when sending a cached HTTP/2 response.
*) Bugfix: proxying to scgi backends might not work when using chunked transfer encoding and the "scgi_request_buffering" directive. Thanks to Mufeed VH.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Andrew Lacambra.
*) Bugfix: nginx treated a comma as separator in the "Cookie" request header line when evaluating "$cookie_..." variables.
*) Bugfix: in IMAP command literal argument parsing.
mod_http2 v2.0.39 rpms released
mod_http2 v2.0.39 rpms released and added to all supported platforms.
Changes:
Remove streams own memory allocator after reports of memory problems
with third party modules.
mod_http2 v2.0.38 rpms released
mod_http2 v2.0.38 rpms released and added to all supported platforms.
Changes:
Source sync with httpd trunk version. No functional change.
NGINX 1.29.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10
nginx 1.29.5 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.
Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.
*) Security: an attacker might inject plain text data in the response from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream.
*) Bugfix: a response with multiple ranges might be larger than the
source response.
*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and uwsgi backends.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.
*) Change: the logging level of the "ech_required" SSL error has been lowered from "crit" to "info".
NGINX 1.28.2 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10
nginx 1.28.2 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.
*) Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.ngtcp2 1.20.0, nghttp3 1.15.0 rpms released
ngtcp2 1.20.0, nghttp3 1.15.0 rpms released and added to all supported platforms.
All the libraries stack built with OpenSSL 3.5.4, including ngtcp2 (quic client name changed from qtlsclient to osslclient).
NGINX 1.28.1 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10
nginx 1.28.1 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.
*) Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).
*) Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive and "proxy_pass" with a URI were used.
*) Bugfix: in handling "Host" and ":authority" header lines with equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: an XCLIENT command didn't use the xtext encoding.
Thanks to Igor Morgenstern of Aisle Research.
*) Bugfix: in SSL certificate caching during reconfiguration.
*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
*) Change: the native nginx/Windows binary release is now built using
Windows SDK 10.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in HTTP/3.ngtcp2 1.19.0, nghttp3 1.14.0 rpms released
ngtcp2 1.19.0, nghttp3 1.14.0 rpms released and added to all supported platforms.
All the libraries stack built with OpenSSL 3.5.4, including ngtcp2 (quic client name changed from qtlsclient to osslclient).
mod_http2 v2.0.37 rpms released
mod_http2 v2.0.37 rpms released and added to all supported platforms.
Changes:
Prevent double purge of a stream, resulting in a double free.
Restore use of streams own memory allocator.