Метка: http3

nginx 1.29.5 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

*) Security: an attacker might inject plain text data in the                              response from an SSL backend (CVE-2026-1642).

*) Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend.

*) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream.

*) Bugfix: a response with multiple ranges might be larger than the
       source response.

*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and    uwsgi backends.

*) Bugfix: fixed warning when compiling with MSVC 2022 x86.

*) Change: the logging level of the "ech_required" SSL error has been        lowered from "crit" to "info".

nginx 1.28.2 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

    *) Security: an attacker might inject plain text data in the response
       from an SSL backend (CVE-2026-1642).

    *) Bugfix: use-after-free might occur after switching to the next gRPC
       or HTTP/2 backend.

    *) Bugfix: fixed warning when compiling with MSVC 2022 x86.

nginx 1.28.1 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

*) Security: processing of a specially crafted login/password when using
   the "none" authentication method in the ngx_mail_smtp_module might
   cause worker process memory disclosure to the authentication server
   (CVE-2025-53859).

*) Bugfix: a segmentation fault might occur in a worker process if the
   "try_files" directive and "proxy_pass" with a URI were used.

*) Bugfix: in handling "Host" and ":authority" header lines with equal
   values when using HTTP/2; the bug had appeared in 1.17.9.

*) Bugfix: in handling "Host" header lines with a port when using
   HTTP/3.

*) Bugfix: an XCLIENT command didn't use the xtext encoding.
   Thanks to Igor Morgenstern of Aisle Research.

*) Bugfix: in SSL certificate caching during reconfiguration.

*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
   response header line.

*) Change: the native nginx/Windows binary release is now built using
   Windows SDK 10.

*) Bugfix: nginx could not be built on NetBSD 10.0.

*) Bugfix: in HTTP/3.

nginx 1.29.4 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

Configure: ensure we get the «built by …» line in nginx -V. by @ac000 in #905
Adding support for pcre 10.47 by @thierryba in #963
SSL: changed interface of ngx_ssl_set_client_hello_callback(). by @pluknet in #968
SSL: fixed build with BoringSSL, broken by 38a701d. by @pluknet in #972
HTTP/2: extended guard for NULL buffer and zero length. by @pluknet in #978
Validate host by @pluknet in #966
Proxy: fixed segfault in URI change (issue #983). by @pluknet in #1004
OpenSSL ECH integration by @sftcd in #840
Update community health files by @alessfg in #727
SSL: avoid warning when ECH is not configured and not supported. by @QirunGao in #1011
Disabled bare LF in chunked transfer encoding. by @pluknet in #1016
HTTP/2 to upstream by @hongzhidao in #771
Quic: fixed segfault on handshake failure by @jeniksv in #1022

nginx 1.29.3 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

SSL: support for compressed server certificates with BoringSSL. by @pluknet in #823
HTTP CONNECT infrastructure by @arut in #935
Upstream: reset local address in case of error. by @arut in #942
SSL: $ssl_sigalg, $ssl_client_sigalg. by @pluknet in #932, initial work by @willmafh in #554
Geo: the «volatile» parameter. by @dplotnikov-f5 in #943
Inheritance control for add_header and add_trailer. by @arut in #918
OCSP: fixed invalid type for the ‘ssl_ocsp’ directive. by @roman-f5 in #938
Fixed compilation warnings on Windows after c93a0c4. by @arut in #954
Modules compatibility: increased compat section size. by @arut in #952
nginx-1.29.3 changes by @arut in #953