Releases: macbre/docker-nginx-http3
Releases · macbre/docker-nginx-http3
nginx 1.29.8
Changes with nginx 1.29.8 07 Apr 2026
*) Feature: the "max_headers" directive.
Thanks to Maxim Dounin.
*) Feature: OpenSSL 4.0 compatibility.
*) Feature: now the "include" directive inside the "geo" block supports
wildcards.
*) Bugfix: in processing of HTTP 103 (Early Hints) responses from a
proxied backend.
*) Bugfix: the $request_port and $is_request_port variables were not
available in subrequests.
nginx 1.29.7
Changes with nginx 1.29.7 24 Mar 2026
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
Thanks to Calif.io in collaboration with Claude and Anthropic
Research.
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
Thanks to Prabhav Srinath (sprabhav7).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
Thanks to Xint Code and Pavel Kohout (Aisle Research).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
Thanks to Arkadi Vainbrand.
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan
University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
University).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
Thanks to Mufeed VH of Winfunc Research.
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
nginx 1.29.6
Changes with nginx 1.29.6 10 Mar 2026
*) Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive
supports the "route" and "drain" parameters.
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: "[crit] cache file ... contains invalid header" messages
might appear in logs when sending a cached HTTP/2 response.
*) Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
Thanks to Mufeed VH.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Andrew Lacambra.
*) Bugfix: nginx treated a comma as separator in the "Cookie" request
header line when evaluating "$cookie_..." variables.
*) Bugfix: in IMAP command literal argument parsing.
nginx 1.29.5
Changes with nginx 1.29.5 04 Feb 2026
*) Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream.
*) Bugfix: a response with multiple ranges might be larger than the
source response.
*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and
uwsgi backends.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.
*) Change: the logging level of the "ech_required" SSL error has been
lowered from "crit" to "info".
nginx 1.29.4
Changes with nginx 1.29.4 09 Dec 2025
*) Feature: the ngx_http_proxy_module supports HTTP/2.
*) Feature: Encrypted ClientHello TLS extension support when using
OpenSSL ECH feature branch; the "ssl_ech_file" directive.
Thanks to Stephen Farrell.
*) Change: validation of host and port in the request line, "Host"
header field, and ":authority" pseudo-header field has been changed
to follow RFC 3986.
*) Change: now a single LF used as a line terminator in a chunked
request or response body is considered an error.
*) Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation
fault might occur in a worker process; the bug had appeared in
1.29.1.
Thanks to Jan Svojanovsky.
*) Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive and "proxy_pass" with a URI were used.
nginx 1.29.3
Changes with nginx 1.29.3 28 Oct 2025
*) Feature: the "add_header_inherit" and "add_trailer_inherit"
directives.
*) Feature: the $request_port and $is_request_port variables.
*) Feature: the $ssl_sigalg and $ssl_client_sigalg variables.
*) Feature: the "volatile" parameter of the "geo" directive.
*) Feature: now certificate compression is available with BoringSSL.
*) Bugfix: now certificate compression is disabled with OCSP stapling.
nginx 1.29.2
Changes with nginx 1.29.2 07 Oct 2025
*) Feature: now nginx can be built with AWS-LC.
Thanks Samuel Chiang.
*) Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
*) Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
*) Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
Thanks to Vladimir Homutov.
*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
*) Bugfix: an XCLIENT command didn't use the xtext encoding.
Thanks to Igor Morgenstern of Aisle Research.
*) Bugfix: in SSL certificate caching during reconfiguration.
nginx 1.29.1
Changes with nginx 1.29.1 13 Aug 2025
*) Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).
*) Change: now TLSv1.3 certificate compression is disabled by default.
*) Feature: the "ssl_certificate_compression" directive.
*) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
*) Bugfix: the 103 response might be buffered when using HTTP/2 and the
"early_hints" directive.
*) Bugfix: in handling "Host" and ":authority" header lines with equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in the "none" parameter of the "smtp_auth" directive.
nginx 1.29.0
Changes with nginx 1.29.0 24 Jun 2025
*) Feature: support for response code 103 from proxy and gRPC backends;
the "early_hints" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
provider.
*) Feature: support for the "so_keepalive" parameter of the "listen"
directive on macOS.
*) Change: the logging level of SSL errors in a QUIC handshake has been
changed from "error" to "crit" for critical errors, and to "info" for
the rest; the logging level of unsupported QUIC transport parameters
has been lowered from "info" to "debug".
*) Change: the native nginx/Windows binary release is now built using
Windows SDK 10.
*) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or
ngx_http_v3_module modules were used.
*) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto
optimization if ngx_http_v3_module was used.
*) Bugfixes and improvements in HTTP/3.
nginx 1.27.5 + njs 0.8.10
Changes with nginx 1.27.5 16 Apr 2025
*) Feature: CUBIC congestion control in QUIC connections.
*) Change: the maximum size limit for SSL sessions cached in shared
memory has been raised to 8192.
*) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file",
and "uwsgi_ssl_password_file" directives when loading SSL
certificates and encrypted keys from variables; the bug had appeared
in 1.23.1.
*) Bugfix: in the $ssl_curve and $ssl_curves variables when using
pluggable curves in OpenSSL.
*) Bugfix: nginx could not be built with musl libc.
Thanks to Piotr Sikora.
*) Performance improvements and bugfixes in HTTP/3.