nginx 1.27.5 + njs 0.8.10

Changes with nginx 1.27.5                                        16 Apr 2025

    *) Feature: CUBIC congestion control in QUIC connections.

    *) Change: the maximum size limit for SSL sessions cached in shared
       memory has been raised to 8192.

    *) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file",
       and "uwsgi_ssl_password_file" directives when loading SSL
       certificates and encrypted keys from variables; the bug had appeared
       in 1.23.1.

    *) Bugfix: in the $ssl_curve and $ssl_curves variables when using
       pluggable curves in OpenSSL.

    *) Bugfix: nginx could not be built with musl libc.
       Thanks to Piotr Sikora.

    *) Performance improvements and bugfixes in HTTP/3.

nginx 1.27.4

Changes with nginx 1.27.4                                        05 Feb 2025

    *) Security: insufficient check in virtual servers handling with TLSv1.3
       SNI allowed to reuse SSL sessions in a different virtual server, to
       bypass client SSL certificates verification (CVE-2025-23419).

    *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",
       "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
       "uwsgi_ssl_certificate_cache" directives.

    *) Feature: the "keepalive_min_timeout" directive.

    *) Workaround: "gzip filter failed to use preallocated memory" alerts
       appeared in logs when using zlib-ng.

    *) Bugfix: nginx could not build libatomic library using the library
       sources if the --with-libatomic=DIR option was used.

    *) Bugfix: QUIC connection might not be established when using 0-RTT;
       the bug had appeared in 1.27.1.

    *) Bugfix: nginx now ignores QUIC version negotiation packets from
       clients.

    *) Bugfix: nginx could not be built on Solaris 10 and earlier with the
       ngx_http_v3_module.

    *) Bugfixes in HTTP/3.

nginx 1.27.3

What's Changed

• Use Link Time Optimization during compilation by @macbre in #153
• Use njs 0.8.7 by @macbre in #155
• quickjs: add the engine by @macbre in #156
• Add the zstd module by @macbre in #154
• nginx 1.27.3 by @macbre in #157

Full Changelog: v1.27.2...v1.27.3

nginx changelog

Changes with nginx 1.27.3                                        26 Nov 2024

    *) Feature: the "server" directive in the "upstream" block supports the
       "resolve" parameter.

    *) Feature: the "resolver" and "resolver_timeout" directives in the
       "upstream" block.

    *) Feature: SmarterMail specific mode support for IMAP LOGIN with
       untagged CAPABILITY response in the mail proxy module.

    *) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.

    *) Change: an IPv6 address in square brackets and no port can be
       specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
       "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as
       client address in ngx_http_realip_module.

    *) Bugfix: in the ngx_http_mp4_module.
       Thanks to Nils Bars.

    *) Bugfix: the "so_keepalive" parameter of the "listen" directive might
       be handled incorrectly on DragonFly BSD.

    *) Bugfix: in the "proxy_store" directive.

nginx 1.27.2

Changes with nginx 1.27.2                                        02 Oct 2024

    *) Feature: SSL certificates, secret keys, and CRLs are now cached on
       start or during reconfiguration.

    *) Feature: client certificate validation with OCSP in the stream
       module.

    *) Feature: OCSP stapling support in the stream module.

    *) Feature: the "proxy_pass_trailers" directive in the
       ngx_http_proxy_module.

    *) Feature: the "ssl_client_certificate" directive now supports
       certificates with auxiliary information.

    *) Change: now the "ssl_client_certificate" directive is not required
       for client SSL certificates verification.

nginx 1.27.1

Changes with nginx 1.27.1                                        14 Aug 2024

    *) Security: processing of a specially crafted mp4 file by the
       ngx_http_mp4_module might cause a worker process crash
       (CVE-2024-7347).
       Thanks to Nils Bars.

    *) Change: now the stream module handler is not mandatory.

    *) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old
       worker processes.
       Thanks to Kasei Wang.

    *) Bugfixes in HTTP/3.

nginx 1.27.0

Changes with nginx 1.27.0                                        29 May 2024

    *) Security: when using HTTP/3, processing of a specially crafted QUIC
       session might cause a worker process crash, worker process memory
       disclosure on systems with MTU larger than 4096 bytes, or might have
       potential other impact (CVE-2024-32760, CVE-2024-31079,
       CVE-2024-35200, CVE-2024-34161).
       Thanks to Nils Bars of CISPA.

    *) Feature: variables support in the "proxy_limit_rate",
       "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate"
       directives.

    *) Bugfix: reduced memory consumption for long-lived requests if "gzip",
       "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.

    *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
       option was used.
       Thanks to Edgar Bonet.

    *) Bugfixes in HTTP/3.

nginx 1.25.4 + njs 0.8.3 + headers-more-nginx-module 0.37

Changes with nginx 1.25.4                                        14 Feb 2024

    *) Security: when using HTTP/3 a segmentation fault might occur in a
       worker process while processing a specially crafted QUIC session
       (CVE-2024-24989, CVE-2024-24990).

    *) Bugfix: connections with pending AIO operations might be closed
       prematurely during graceful shutdown of old worker processes.

    *) Bugfix: socket leak alerts no longer logged when fast shutdown was
       requested after graceful shutdown of old worker processes.

    *) Bugfix: a socket descriptor error, a socket leak, or a segmentation
       fault in a worker process (for SSL proxying) might occur if AIO was
       used in a subrequest.

    *) Bugfix: a segmentation fault might occur in a worker process if SSL
       proxying was used along with the "image_filter" directive and errors
       with code 415 were redirected with the "error_page" directive.

    *) Bugfixes and improvements in HTTP/3.

What's Changed

• nginx 1.25.4 + njs 0.8.3 + headers-more-nginx-module 0.37 by @macbre in #135

Full Changelog: v1.25.3...v1.25.4

nginx 1.25.3 + uid and gid ARG for nginx user + fix nginx.pid file permissions

Changes with nginx 1.25.3                                        24 Oct 2023

    *) Change: improved detection of misbehaving clients when using HTTP/2.

    *) Feature: startup speedup when using a large number of locations.
       Thanks to Yusuke Nojima.

    *) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2 without SSL; the bug had appeared in 1.25.1.

    *) Bugfix: the "Status" backend response header line with an empty
       reason phrase was handled incorrectly.

    *) Bugfix: memory leak during reconfiguration when using the PCRE2
       library.
       Thanks to ZhenZhong Wu.

    *) Bugfixes and improvements in HTTP/3.

What's Changed

• Added uid and gid ARG for nginx user by @victor-sm in #123
• Fix for "nginx.pid failed (13: Permission denied)" error by @victor-sm in #125
• Update readme.md with example docker compose by @SkyZeroZx in #130
• Update Dockerfile: v1.25.3 by @macbre in #134

New Contributors

• @victor-sm made their first contribution in #123
• @SkyZeroZx made their first contribution in #130

Full Changelog: v1.25.2...v1.25.3

nginx 1.25.2 + njs 0.8.1

Changes with nginx 1.25.2                                        15 Aug 2023

    *) Feature: path MTU discovery when using HTTP/3.

    *) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
       HTTP/3.

    *) Change: now nginx uses appname "nginx" when loading OpenSSL
       configuration.

    *) Change: now nginx does not try to load OpenSSL configuration if the
       --with-openssl option was used to built OpenSSL and the OPENSSL_CONF
       environment variable is not set.

    *) Bugfix: in the $body_bytes_sent variable when using HTTP/3.

    *) Bugfix: in HTTP/3.

What's Changed

• Bump macbre/push-to-ghcr from 12 to 13 by @dependabot in #119
• Bump docker/build-push-action from 4 to 5 by @dependabot in #121
• Bump actions/checkout from 3 to 4 by @dependabot in #120
• nginx 1.25.2 + njs 0.8.1 by @macbre in #122

Full Changelog: v1.25.1...v1.25.2

nginx 1.25.1

The main code branch of nginx now features the still experimental HTTP/3 support.

Changes with nginx 1.25.1                                        13 Jun 2023

    *) Feature: the "http2" directive, which enables HTTP/2 on a per-server
       basis; the "http2" parameter of the "listen" directive is now
       deprecated.

    *) Change: HTTP/2 server push support has been removed.

    *) Change: the deprecated "ssl" directive is not supported anymore.

    *) Bugfix: in HTTP/3 when using OpenSSL.


Changes with nginx 1.25.0                                        23 May 2023

    *) Feature: experimental HTTP/3 support.

What's Changed

• fix: Update BoringSSL commit by @yo-han in #112
• nginx to 1.25.1, other updates, and update docs and configs. by @justdan6 in #113

New Contributors

• @yo-han made their first contribution in #112
• @justdan6 made their first contribution in #113

Full Changelog: v1.23.4...v1.25.1