From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] nginx: Update to version 1.29.1
Date: Fri, 12 Sep 2025 22:08:13 +0200 [thread overview]
Message-ID: <20250912200814.3489573-6-adolf.belka@ipfire.org> (raw)
In-Reply-To: <20250912200814.3489573-1-adolf.belka@ipfire.org>
- Update from version 1.26.2 to 1.29.1
- Update of rootfile not required
- One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0
- Changelog
1.29.1
*) Change: now TLSv1.3 certificate compression is disabled by default.
*) Feature: the "ssl_certificate_compression" directive.
*) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
*) Bugfix: the 103 response might be buffered when using HTTP/2 and the
"early_hints" directive.
*) Bugfix: in handling "Host" and ":authority" header lines with equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in the "none" parameter of the "smtp_auth" directive.
1.29.0
*) Feature: support for response code 103 from proxy and gRPC backends;
the "early_hints" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
provider.
*) Feature: support for the "so_keepalive" parameter of the "listen"
directive on macOS.
*) Change: the logging level of SSL errors in a QUIC handshake has been
changed from "error" to "crit" for critical errors, and to "info" for
the rest; the logging level of unsupported QUIC transport parameters
has been lowered from "info" to "debug".
*) Change: the native nginx/Windows binary release is now built using
Windows SDK 10.
*) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or
ngx_http_v3_module modules were used.
*) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto
optimization if ngx_http_v3_module was used.
*) Bugfixes and improvements in HTTP/3.
1.27.5
*) Feature: CUBIC congestion control in QUIC connections.
*) Change: the maximum size limit for SSL sessions cached in shared
memory has been raised to 8192.
*) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file",
and "uwsgi_ssl_password_file" directives when loading SSL
certificates and encrypted keys from variables; the bug had appeared
in 1.23.1.
*) Bugfix: in the $ssl_curve and $ssl_curves variables when using
pluggable curves in OpenSSL.
*) Bugfix: nginx could not be built with musl libc.
Thanks to Piotr Sikora.
*) Performance improvements and bugfixes in HTTP/3.
1.27.4
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",
"proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
"uwsgi_ssl_certificate_cache" directives.
*) Feature: the "keepalive_min_timeout" directive.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: QUIC connection might not be established when using 0-RTT;
the bug had appeared in 1.27.1.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
1.27.3
*) Feature: the "server" directive in the "upstream" block supports the
"resolve" parameter.
*) Feature: the "resolver" and "resolver_timeout" directives in the
"upstream" block.
*) Feature: SmarterMail specific mode support for IMAP LOGIN with
untagged CAPABILITY response in the mail proxy module.
*) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
*) Change: an IPv6 address in square brackets and no port can be
specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
"memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as
client address in ngx_http_realip_module.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive might
be handled incorrectly on DragonFly BSD.
*) Bugfix: in the "proxy_store" directive.
1.27.2
*) Feature: SSL certificates, secret keys, and CRLs are now cached on
start or during reconfiguration.
*) Feature: client certificate validation with OCSP in the stream
module.
*) Feature: OCSP stapling support in the stream module.
*) Feature: the "proxy_pass_trailers" directive in the
ngx_http_proxy_module.
*) Feature: the "ssl_client_certificate" directive now supports
certificates with auxiliary information.
*) Change: now the "ssl_client_certificate" directive is not required
for client SSL certificates verification.
1.27.1
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Change: now the stream module handler is not mandatory.
*) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old
worker processes.
Thanks to Kasei Wang.
*) Bugfixes in HTTP/3.
1.27.0
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Feature: variables support in the "proxy_limit_rate",
"fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate"
directives.
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic
option was used.
Thanks to Edgar Bonet.
*) Bugfixes in HTTP/3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/nginx | 59 +++++++++++++++++++++++++++----------------------------
1 file changed, 29 insertions(+), 30 deletions(-)
diff --git a/lfs/nginx b/lfs/nginx
index 0468fed11..59b670c61 100644
--- a/lfs/nginx
+++ b/lfs/nginx
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -25,7 +25,7 @@
include Config
SUMMARY = A HTTP server and IMAP/POP3 proxy server
-VER = 1.26.2
+VER = 1.29.1
THISAPP = nginx-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = nginx
-PAK_VER = 17
+PAK_VER = 18
DEPS =
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = f054deb47bf21bf963fedc8f980d29c92325bbfcb39c5a2cc67cce15add32036f0b771c7abac018ded6354a0df0850ed5843d26e0cf5d9577b70ca3fa89a206c
+$(DL_FILE)_BLAKE2 = ab2f49ff5564fa45f86732e92abf8a43ce5f225cfcffcd66f40c7e35377525fe18a7760c1946e6e9f48e7fc07e99fdefa4ea5c19deae3cde00121aefa3d7cc14
install : $(TARGET)
@@ -81,32 +81,31 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure \
- --prefix=/usr/share/nginx \
- --conf-path=/etc/nginx/nginx.conf \
- --sbin-path=/usr/sbin/nginx \
- --pid-path=/var/run/nginx.pid \
- --lock-path=/var/lock/nginx.lock \
- --http-client-body-temp-path=/var/spool/nginx/client_body_temp \
- --http-proxy-temp-path=/var/spool/nginx/proxy_temp \
- --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \
- --http-log-path=/var/log/nginx/access.log \
- --error-log-path=/var/log/nginx/error.log \
- --user=nobody \
- --group=nobody \
- --with-mail \
- --with-mail_ssl_module \
- --with-http_ssl_module \
- --with-http_gunzip_module \
- --with-http_gzip_static_module \
- --with-http_random_index_module \
- --with-http_secure_link_module \
- --with-http_degradation_module \
- --with-http_stub_status_module \
- --with-http_dav_module \
- --with-http_sub_module \
- --with-http_v2_module \
- --with-pcre
-
+ --prefix=/usr/share/nginx \
+ --conf-path=/etc/nginx/nginx.conf \
+ --sbin-path=/usr/sbin/nginx \
+ --pid-path=/var/run/nginx.pid \
+ --lock-path=/var/lock/nginx.lock \
+ --http-client-body-temp-path=/var/spool/nginx/client_body_temp \
+ --http-proxy-temp-path=/var/spool/nginx/proxy_temp \
+ --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \
+ --http-log-path=/var/log/nginx/access.log \
+ --error-log-path=/var/log/nginx/error.log \
+ --user=nobody \
+ --group=nobody \
+ --with-mail \
+ --with-mail_ssl_module \
+ --with-http_ssl_module \
+ --with-http_gunzip_module \
+ --with-http_gzip_static_module \
+ --with-http_random_index_module \
+ --with-http_secure_link_module \
+ --with-http_degradation_module \
+ --with-http_stub_status_module \
+ --with-http_dav_module \
+ --with-http_sub_module \
+ --with-http_v2_module \
+ --with-pcre
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
mkdir -p /var/log/nginx /var/spool/nginx
--
2.51.0
next prev parent reply other threads:[~2025-09-12 20:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-12 20:08 [PATCH] dehydrated: Update to version 0.7.2 Adolf Belka
2025-09-12 20:08 ` [PATCH] frr: Update to version 10.4.1 Adolf Belka
2025-09-12 20:08 ` [PATCH] libogg: Update to version 1.3.6 Adolf Belka
2025-09-12 20:08 ` [PATCH] mtr: Update to version 0.96 Adolf Belka
2025-09-12 20:08 ` [PATCH] mympd: Update to version 22.0.4 Adolf Belka
2025-09-12 20:08 ` Adolf Belka [this message]
2025-09-12 20:08 ` [PATCH] strace: Update to version 6.16 Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250912200814.3489573-6-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox