Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
* Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive supports
the "route" and "drain" parameters.
* Change: now nginx limits the size and rate of QUIC stateless reset
packets.
* Bugfix: receiving a QUIC packet by a wrong worker process could cause the
connection to terminate.
* Bugfix: "[crit] cache file ... contains invalid header" messages might
appear in logs when sending a cached HTTP/2 response.
* Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
* Bugfix: in the ngx_http_mp4_module.
* Bugfix: nginx treated a comma as separator in the "Cookie" request header
line when evaluating "$cookie_..." variables.
* Bugfix: in IMAP command literal argument parsing.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: copyright year bump.
Changelog:
1.29.5:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream.
- Bugfix: a response with multiple ranges might be larger than the
source response.
- Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and
uwsgi backends.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
- Change: the logging level of the "ech_required" SSL error has been
lowered from "crit" to "info".
1.29.4:
- Feature: the ngx_http_proxy_module supports HTTP/2.
- Feature: Encrypted ClientHello TLS extension support when using
OpenSSL ECH feature branch; the "ssl_ech_file" directive.
Thanks to Stephen Farrell.
- Change: validation of host and port in the request line, "Host"
header field, and ":authority" pseudo-header field has been changed
to follow RFC 3986.
- Change: now a single LF used as a line terminator in a chunked
request or response body is considered an error.
- Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation
fault might occur in a worker process; the bug had appeared in
1.29.1.
Thanks to Jan Svojanovsky.
- Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive and "proxy_pass" with a URI were used.
1.29.3:
- Feature: the "add_header_inherit" and "add_trailer_inherit"
directives.
- Feature: the $request_port and $is_request_port variables.
- Feature: the $ssl_sigalg and $ssl_client_sigalg variables.
- Feature: the "volatile" parameter of the "geo" directive.
- Feature: now certificate compression is available with BoringSSL.
- Bugfix: now certificate compression is disabled with OCSP stapling.
1.29.2
- Feature: now nginx can be built with AWS-LC.
Thanks Samuel Chiang.
- Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
- Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
- Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
Thanks to Vladimir Homutov.
- Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
- Bugfix: an XCLIENT command didn't use the xtext encoding.
Thanks to Igor Morgenstern of Aisle Research.
- Bugfix: in SSL certificate caching during reconfiguration.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop CVE patch which has been integrated into this new version.
Solves:
* CVE-2025-53859
CHANGES:
https://nginx.org/en/CHANGES-1.28
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-04-23
nginx-1.28.0 stable version has been released, incorporating new
features and bug fixes from the 1.27.x mainline branch - including
memory usage and CPU usage optimizations in complex SSL configurations,
automatic re‑resolution of hostnames in upstream groups, performance
enhancements in QUIC, OCSP validation of client SSL certificates and
OCSP stapling support in the stream module, variables support in the
proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and
uwsgi_limit_rate directives, the proxy_pass_trailers directive, and
more.
License-Update: copyright years refreshed and removed C-style comments
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fastcgi, scgi and uwsgi are enabled by default in nginx. Provide an
option to disable these features (that reduces binary size by 8%).
Signed-off-by: Maxin John <maxin.john@gehealthcare.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nginx-1.26.0 stable version has been released, incorporating new
features and bug fixes from the 1.25.x mainline branch -
including experimental HTTP/3 support, HTTP/2 on a per-server basis
virtual servers in the stream module, passing stream connections to
listen sockets, and more.
License-Update: copyright years refreshed
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Providing the http sub module feature. The module works as a filter which
replaces a specific character string in a response with another character
string.
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upstream-Status: Backport from [6ceef192e7]
WARNING: nginx-1.24.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-44487)
This vulnerability exists between the following versions -> From(including) 1.9.5 Up to(including) 1.25.2
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
https://nginx.org/en/CHANGES
*) Change: improved detection of misbehaving clients when using HTTP/2.
*) Feature: startup speedup when using a large number of locations.
Thanks to Yusuke Nojima.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 without SSL; the bug had appeared in 1.25.1.
*) Bugfix: the "Status" backend response header line with an empty
reason phrase was handled incorrectly.
*) Bugfix: memory leak during reconfiguration when using the PCRE2
library.
Thanks to ZhenZhong Wu.
*) Bugfixes and improvements in HTTP/3.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option. The option is not added to the defaults.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
*) Feature: path MTU discovery when using HTTP/3.
*) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
HTTP/3.
*) Change: now nginx uses appname "nginx" when loading OpenSSL
configuration.
*) Change: now nginx does not try to load OpenSSL configuration if the
--with-openssl option was used to built OpenSSL and the OPENSSL_CONF
environment variable is not set.
*) Bugfix: in the $body_bytes_sent variable when using HTTP/3.
*) Bugfix: in HTTP/3.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
*) Feature: experimental HTTP/3 support.
License-Update: Copyright year updated to 2023.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
*) Change: now TLSv1.3 protocol is enabled by default.
*) Change: now nginx issues a warning if protocol parameters of a
listening socket are redefined.
*) Change: now nginx closes connections with lingering if pipelining was
used by the client.
*) Feature: byte ranges support in the ngx_http_gzip_static_module.
*) Bugfix: port ranges in the "listen" directive did not work; the bug
had appeared in 1.23.3.
*) Bugfix: incorrect location might be chosen to process a request if a
prefix location longer than 255 characters was used in the
configuration.
*) Bugfix: non-ASCII characters in file names on Windows were not
supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
and the "include" directive.
*) Change: the logging level of the "data length too long", "length too
short", "bad legacy version", "no shared signature algorithms", "bad
digest length", "missing sigalgs extension", "encrypted length too
long", "bad length", "bad key update", "mixed handshake and non
handshake data", "ccs received early", "data between ccs and
finished", "packet length too long", "too many warn alerts", "record
too small", and "got a fin before a ccs" SSL errors has been lowered
from "crit" to "info".
*) Bugfix: a socket leak might occur when using HTTP/2 and the
"error_page" directive to redirect errors with code 400.
*) Bugfix: messages about logging to syslog errors did not contain
information that the errors happened while logging to syslog.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: in the mail proxy server.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
if we run opkg install nginx on our system (without systemd)
we end up getting the following message in the install process
$ opkg install nginx_1.20.1-r0_core2-64.ipk
...
//var/lib/opkg/info/nginx.postinst: line 3: type: systemd-tmpfiles: not found
this confused some of my coworkers.
as installation also finishes correctly without sytemd-tmpfiles
and not having systemd-tempfiles is not really a problem, I think
we should redirect the message also to /dev/NULL
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2021-3618.patch
removed since it's included in 1.23.3
Changelog:
==========
*) Bugfix: an error might occur when reading PROXY protocol version 2
header with large number of TLVs.
*) Bugfix: a segmentation fault might occur in a worker process if SSI
was used to process subrequests created by other modules.
Thanks to Ciel Zhao.
*) Workaround: when a hostname used in the "listen" directive resolves
to multiple addresses, nginx now ignores duplicates within these
addresses.
*) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
connections to backends were used.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The nginx gunzip module is a filter that decompresses responses with
'Content-Encoding: gzip' for clients that do not support 'gzip' encoding
method. The module will be useful when it is desirable to store data
compressed to save space and reduce I/O costs.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
For linux, nginx will always compile with '-D_FILE_OFFSET_BITS=64'. This
means that off_t will always be 8 bytes long, even on 32-bit targets.
This configuration change resolves some issues with nginx and handling
range headers.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport with no change a patch from version 1.21.0. This patch
was not cherry-picked by nginx to version 1.20.1.
Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Remove directory /var/log/nginx when do_install because it is created by
volatiles file.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch fixes Nginx install paths. I tried to build the native variant
for testing purpose and had errors.
- Use path variable instead of /usr
- Replace the absolute path symlink with a relative one
Signed-off-by: Gaylord CHARLES <gaylord.charles@veo-labs.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
the kill utility is located in /bin/kill -> use base_bindir instead of bindir
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
