nginx.git, branch release-1.29.7 nginx nginx-1.29.7-RELEASE 2026-03-24T15:38:34+00:00 Roman Arutyunyan arut@nginx.com 2026-03-19T14:53:00+00:00 5ac6f49371f9fcdf21ca4b4fd2a8657576f0885b 






Stream: fixed client certificate validation with OCSP.
2026-03-24T15:28:20+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-03-17T15:20:03+00:00

18711f7754401dd4ce26faa721e0f0bce41d4c1e

Check for OCSP status was missed in 581cf2267, resulting
in a broken validation.

Reported by Mufeed VH of Winfunc Research.





Check for OCSP status was missed in 581cf2267, resulting
in a broken validation.

Reported by Mufeed VH of Winfunc Research.







Mail: fixed clearing s->passwd in auth http requests.
2026-03-24T14:46:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-03-18T12:39:37+00:00

9bc13718fe8a59a4538805516be7e141070c22d6

Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response.  This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.

Reported by Arkadi Vainbrand.





Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response.  This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.

Reported by Arkadi Vainbrand.







Mail: host validation.
2026-03-24T14:46:08+00:00

Roman Arutyunyan
arut@nginx.com

2026-02-26T07:52:53+00:00

6f3145006b41a4ec464eed4093553a335d35e8ac

Now host name resolved from client address is validated to only contain
the characters specified in RFC 1034, Section 3.5.  The validation allows
to avoid injections when using the resolved host name in auth_http and
smtp proxy.

Reported by Asim Viladi Oglu Manizada, Colin Warren,
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
Bird Liu (Lanzhou University).





Now host name resolved from client address is validated to only contain
the characters specified in RFC 1034, Section 3.5.  The validation allows
to avoid injections when using the resolved host name in auth_http and
smtp proxy.

Reported by Asim Viladi Oglu Manizada, Colin Warren,
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
Bird Liu (Lanzhou University).







Dav: destination length validation for COPY and MOVE.
2026-03-24T14:45:25+00:00

Roman Arutyunyan
arut@nginx.com

2026-03-16T16:13:03+00:00

9739e755b8dddba82e65ca2a08d079f4c9826b75

Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.





Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.







Mp4: fixed possible integer overflow on 32-bit platforms.
2026-03-24T14:44:57+00:00

Roman Arutyunyan
arut@nginx.com

2026-03-02T17:12:34+00:00

3568812cf98dfd7661cd7516ecf9b398c134ab3c

Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).





Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).







Mp4: avoid zero size buffers in output.
2026-03-24T14:12:29+00:00

Roman Arutyunyan
arut@nginx.com

2026-02-21T08:04:36+00:00

7725c372c2fe11ff908b1d6138be219ad694c42f

Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.





Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.







Upstream keepalive: fixed parameter parsing.
2026-03-24T11:38:16+00:00

Roman Arutyunyan
arut@nginx.com

2026-03-24T11:12:05+00:00

d787755d50c96b8f0fc1c5c2df62e8ea3bd9031f












Proxy: enabled HTTP/1.1 by default for upstream connections.
2026-03-24T10:28:52+00:00

Roman Semenov
r.semenov@f5.com

2026-01-27T20:37:11+00:00

6bb27a63129968da17b21589b73aa4f47b8445ec

Updates the proxy module to use HTTP/1.1 as the default protocol when
communicating with upstream servers. This change unlocks features
such as persistent connections and chunked transfer encoding. Configurations
that require HTTP/1.0 can still override the protocol explicitly.





Updates the proxy module to use HTTP/1.1 as the default protocol when
communicating with upstream servers. This change unlocks features
such as persistent connections and chunked transfer encoding. Configurations
that require HTTP/1.0 can still override the protocol explicitly.







Upstream: enabled keepalive by default for explicit upstreams.
2026-03-24T10:28:52+00:00

Roman Semenov
r.semenov@f5.com

2026-03-23T18:03:26+00:00

4fbe4b62746f67d4348212c089b745bd10082964

Keepalive is now automatically enabled in the "local" mode for upstreams
defined in configuration files. Cached keepalive connections are no longer
shared between different locations referencing the same explicit upstream
unless keepalive is explicitly configured without the "local" parameter.

To disable keepalive entirely, use keepalive 0; inside the upstream block.
To allow sharing cached connections between locations, configure
keepalive <max_cached>; without the "local" parameter.





Keepalive is now automatically enabled in the "local" mode for upstreams
defined in configuration files. Cached keepalive connections are no longer
shared between different locations referencing the same explicit upstream
unless keepalive is explicitly configured without the "local" parameter.

To disable keepalive entirely, use keepalive 0; inside the upstream block.
To allow sharing cached connections between locations, configure
keepalive <max_cached>; without the "local" parameter.