- Update from version 1.26.2 to 1.29.1
- Update of rootfile not required
- One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0
- Changelog
1.29.1
*) Change: now TLSv1.3 certificate compression is disabled by
default.
*) Feature: the "ssl_certificate_compression" directive.
*) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or
newer.
*) Bugfix: the 103 response might be buffered when using HTTP/2 and
the
"early_hints" directive.
*) Bugfix: in handling "Host" and ":authority" header lines with
equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in the "none" parameter of the "smtp_auth" directive.
1.29.0
*) Feature: support for response code 103 from proxy and gRPC
backends;
the "early_hints" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
provider.
*) Feature: support for the "so_keepalive" parameter of the "listen"
directive on macOS.
*) Change: the logging level of SSL errors in a QUIC handshake has
been
changed from "error" to "crit" for critical errors, and to
"info" for
the rest; the logging level of unsupported QUIC transport
parameters
has been lowered from "info" to "debug".
*) Change: the native nginx/Windows binary release is now built
using
Windows SDK 10.
*) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module
or
ngx_http_v3_module modules were used.
*) Bugfix: nginx might not be built by gcc 14 or newer with -O3
-flto
optimization if ngx_http_v3_module was used.
*) Bugfixes and improvements in HTTP/3.
1.27.5
*) Feature: CUBIC congestion control in QUIC connections.
*) Change: the maximum size limit for SSL sessions cached in shared
memory has been raised to 8192.
*) Bugfix: in the "grpc_ssl_password_file",
"proxy_ssl_password_file",
and "uwsgi_ssl_password_file" directives when loading SSL
certificates and encrypted keys from variables; the bug had
appeared
in 1.23.1.
*) Bugfix: in the $ssl_curve and $ssl_curves variables when using
pluggable curves in OpenSSL.
*) Bugfix: nginx could not be built with musl libc.
Thanks to Piotr Sikora.
*) Performance improvements and bugfixes in HTTP/3.
1.27.4
*) Security: insufficient check in virtual servers handling with
TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server,
to
bypass client SSL certificates verification (CVE-2025-23419).
*) Feature: the "ssl_object_cache_inheritable",
"ssl_certificate_cache",
"proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
"uwsgi_ssl_certificate_cache" directives.
*) Feature: the "keepalive_min_timeout" directive.
*) Workaround: "gzip filter failed to use preallocated memory"
alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: QUIC connection might not be established when using
0-RTT;
the bug had appeared in 1.27.1.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with
the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
1.27.3
*) Feature: the "server" directive in the "upstream" block supports
the
"resolve" parameter.
*) Feature: the "resolver" and "resolver_timeout" directives in the
"upstream" block.
*) Feature: SmarterMail specific mode support for IMAP LOGIN with
untagged CAPABILITY response in the mail proxy module.
*) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
*) Change: an IPv6 address in square brackets and no port can be
specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
"memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and
as
client address in ngx_http_realip_module.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive
might
be handled incorrectly on DragonFly BSD.
*) Bugfix: in the "proxy_store" directive.
1.27.2
*) Feature: SSL certificates, secret keys, and CRLs are now cached
on
start or during reconfiguration.
*) Feature: client certificate validation with OCSP in the stream
module.
*) Feature: OCSP stapling support in the stream module.
*) Feature: the "proxy_pass_trailers" directive in the
ngx_http_proxy_module.
*) Feature: the "ssl_client_certificate" directive now supports
certificates with auxiliary information.
*) Change: now the "ssl_client_certificate" directive is not
required
for client SSL certificates verification.
1.27.1
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Change: now the stream module handler is not mandatory.
*) Bugfix: new HTTP/2 connections might ignore graceful shutdown of
old
worker processes.
Thanks to Kasei Wang.
*) Bugfixes in HTTP/3.
1.27.0
*) Security: when using HTTP/3, processing of a specially crafted
QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might
have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Feature: variables support in the "proxy_limit_rate",
"fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate"
directives.
*) Bugfix: reduced memory consumption for long-lived requests if
"gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are
used.
*) Bugfix: nginx could not be built by gcc 14 if the
--with-libatomic
option was used.
Thanks to Edgar Bonet.
*) Bugfixes in HTTP/3.
Signed-off-by: Adolf Belka <[email protected]>
---
lfs/nginx | 59 +++++++++++++++++++++++++++----------------------------
1 file changed, 29 insertions(+), 30 deletions(-)
diff --git a/lfs/nginx b/lfs/nginx
index 0468fed11..59b670c61 100644
--- a/lfs/nginx
+++ b/lfs/nginx
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2024 IPFire Team <[email protected]> #
+# Copyright (C) 2007-2025 IPFire Team <[email protected]> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -25,7 +25,7 @@
include Config
SUMMARY = A HTTP server and IMAP/POP3 proxy server
-VER = 1.26.2
+VER = 1.29.1
THISAPP = nginx-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = nginx
-PAK_VER = 17
+PAK_VER = 18
DEPS =
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 =
f054deb47bf21bf963fedc8f980d29c92325bbfcb39c5a2cc67cce15add32036f0b771c7abac018ded6354a0df0850ed5843d26e0cf5d9577b70ca3fa89a206c
+$(DL_FILE)_BLAKE2 =
ab2f49ff5564fa45f86732e92abf8a43ce5f225cfcffcd66f40c7e35377525fe18a7760c1946e6e9f48e7fc07e99fdefa4ea5c19deae3cde00121aefa3d7cc14
install : $(TARGET)
@@ -81,32 +81,31 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure \
- --prefix=/usr/share/nginx \
- --conf-path=/etc/nginx/nginx.conf \
- --sbin-path=/usr/sbin/nginx \
- --pid-path=/var/run/nginx.pid \
- --lock-path=/var/lock/nginx.lock \
- --http-client-body-temp-path=/var/spool/nginx/client_body_temp \
- --http-proxy-temp-path=/var/spool/nginx/proxy_temp \
- --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \
- --http-log-path=/var/log/nginx/access.log \
- --error-log-path=/var/log/nginx/error.log \
- --user=nobody \
- --group=nobody \
- --with-mail \
- --with-mail_ssl_module \
- --with-http_ssl_module \
- --with-http_gunzip_module \
- --with-http_gzip_static_module \
- --with-http_random_index_module \
- --with-http_secure_link_module \
- --with-http_degradation_module \
- --with-http_stub_status_module \
- --with-http_dav_module \
- --with-http_sub_module \
- --with-http_v2_module \
- --with-pcre
-
+ --prefix=/usr/share/nginx \
+ --conf-path=/etc/nginx/nginx.conf \
+ --sbin-path=/usr/sbin/nginx \
+ --pid-path=/var/run/nginx.pid \
+ --lock-path=/var/lock/nginx.lock \
+
--http-client-body-temp-path=/var/spool/nginx/client_body_temp \
+
--http-proxy-temp-path=/var/spool/nginx/proxy_temp \
+
--http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \
+ --http-log-path=/var/log/nginx/access.log \
+ --error-log-path=/var/log/nginx/error.log \
+ --user=nobody \
+ --group=nobody \
+ --with-mail \
+ --with-mail_ssl_module \
+ --with-http_ssl_module \
+ --with-http_gunzip_module \
+ --with-http_gzip_static_module \
+ --with-http_random_index_module \
+ --with-http_secure_link_module \
+ --with-http_degradation_module \
+ --with-http_stub_status_module \
+ --with-http_dav_module \
+ --with-http_sub_module \
+ --with-http_v2_module \
+ --with-pcre
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
mkdir -p /var/log/nginx /var/spool/nginx
--
2.51.0
