Skip to content

nginx 1.29.7#184

Merged
macbre merged 2 commits intomasterfrom
nginx/1.29.7
Mar 24, 2026
Merged

nginx 1.29.7#184
macbre merged 2 commits intomasterfrom
nginx/1.29.7

Conversation

@macbre
Copy link
Copy Markdown
Owner

@macbre macbre commented Mar 24, 2026
edited
Loading 

Changes with nginx 1.29.7                                        24 Mar 2026

    *) Security: a buffer overflow might occur while handling a COPY or MOVE
       request in a location with "alias", allowing an attacker to modify
       the source or destination path outside of the document root
       (CVE-2026-27654).
       Thanks to Calif.io in collaboration with Claude and Anthropic
       Research.

    *) Security: processing of a specially crafted mp4 file by the
       ngx_http_mp4_module on 32-bit platforms might cause a worker process
       crash, or might have potential other impact (CVE-2026-27784).
       Thanks to Prabhav Srinath (sprabhav7).

    *) Security: processing of a specially crafted mp4 file by the
       ngx_http_mp4_module might cause a worker process crash, or might have
       potential other impact (CVE-2026-32647).
       Thanks to Xint Code and Pavel Kohout (Aisle Research).

    *) Security: a segmentation fault might occur in a worker process if the
       CRAM-MD5 or APOP authentication methods were used and authentication
       retry was enabled (CVE-2026-27651).
       Thanks to Arkadi Vainbrand.

    *) Security: an attacker might use PTR DNS records to inject data in
       auth_http requests, as well as in the XCLIENT command in the backend
       SMTP connection (CVE-2026-28753).
       Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan
       University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
       University).

    *) Security: SSL handshake might succeed despite OCSP rejecting a client
       certificate in the stream module (CVE-2026-28755).
       Thanks to Mufeed VH of Winfunc Research.

    *) Feature: the "multipath" parameter of the "listen" directive.

    *) Feature: the "local" parameter of the "keepalive" directive in the
       "upstream" block.

    *) Change: now the "keepalive" directive in the "upstream" block is
       enabled by default.

    *) Change: now ngx_http_proxy_module supports keepalive by default; the
       default value for "proxy_http_version" is "1.1"; the "Connection"
       proxy header is not sent by default anymore.

    *) Bugfix: an invalid HTTP/2 request might be sent after switching to
       the next upstream if buffered body was used in the
       ngx_http_grpc_module.

@macbre macbre self-assigned this Mar 24, 2026
@macbre
Update nginx version in README
f466689 
Updated nginx version from 1.29.6 to 1.29.7 and adjusted build identifier.
@macbre macbre marked this pull request as ready for review March 24, 2026 20:39
@macbre macbre enabled auto-merge (squash) March 24, 2026 20:40
@macbre macbre merged commit 6b6f778 into master Mar 24, 2026
3 checks passed
@macbre macbre deleted the nginx/1.29.7 branch March 24, 2026 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@macbre macbre

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@macbre