nginx.git/src, branch release-1.28.3 nginx Stream: fixed client certificate validation with OCSP. 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-03-17T15:20:03+00:00 78f581487706f2e43eea5a060c516fc4d98090e8 Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. 
Check for OCSP status was missed in 581cf2267, resulting
in a broken validation.

Reported by Mufeed VH of Winfunc Research.
Mail: fixed clearing s->passwd in auth http requests. 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-03-18T12:39:37+00:00 0f71dd8ea94ab8c123413b2e465be12a35392e9c Previously, it was not properly cleared retaining length as part of authenticating with CRAM-MD5 and APOP methods that expect to receive password in auth response. This resulted in null pointer dereference and worker process crash in subsequent auth attempts with CRAM-MD5. Reported by Arkadi Vainbrand. 
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response.  This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.

Reported by Arkadi Vainbrand.
Mail: host validation. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-02-26T07:52:53+00:00 6a8513761fb327f67fcc6cfcf1ad216887e2589f Now host name resolved from client address is validated to only contain the characters specified in RFC 1034, Section 3.5. The validation allows to avoid injections when using the resolved host name in auth_http and smtp proxy. Reported by Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University). 
Now host name resolved from client address is validated to only contain
the characters specified in RFC 1034, Section 3.5.  The validation allows
to avoid injections when using the resolved host name in auth_http and
smtp proxy.

Reported by Asim Viladi Oglu Manizada, Colin Warren,
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
Bird Liu (Lanzhou University).
Dav: destination length validation for COPY and MOVE. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-03-16T16:13:03+00:00 a1d18284e0a173c4ef2b28425535d0f640ae0a82 Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. 
Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.
Mp4: fixed possible integer overflow on 32-bit platforms. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-03-02T17:12:34+00:00 b23ac73b00313d159a99636c21ef71b828781018 Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). 
Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).
Mp4: avoid zero size buffers in output. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-02-21T08:04:36+00:00 a172c880cb51f882a5dc999437e8b3a4f87630cc Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. 
Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
QUIC: improved error handling in OpenSSL compat layer. 2026-03-24T18:33:23+00:00 user.email 123011167+lukefr09@users.noreply.github.com 2026-02-24T01:33:57+00:00 3986410e12e2b1abc81965dd96598d4c2dd02b00 Previously ngx_quic_compat_create_record() could try to encrypt a TLS record even if encryption context was missing, which resulted in a NULL pointer dereference. The context is created by ngx_quic_compat_set_encryption_secret() called from the OpenSSL keylog callback. If an error occurred in that function, the context could remain missing. This could happen under memory pressure, if an allocation failed inside this function. The fix is to handle errors from ngx_quic_compat_set_encryption_secret() and set qc->error to trigger an error after SSL_do_handshake() return. Also, a check for context is added to ngx_quic_compat_create_record() to avoid other similar issues. 
Previously ngx_quic_compat_create_record() could try to encrypt a TLS
record even if encryption context was missing, which resulted in a NULL
pointer dereference.

The context is created by ngx_quic_compat_set_encryption_secret() called
from the OpenSSL keylog callback.  If an error occurred in that function,
the context could remain missing.  This could happen under memory pressure,
if an allocation failed inside this function.

The fix is to handle errors from ngx_quic_compat_set_encryption_secret()
and set qc->error to trigger an error after SSL_do_handshake() return.
Also, a check for context is added to ngx_quic_compat_create_record()
to avoid other similar issues.
QUIC: worker-bound stateless reset tokens. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-02-26T14:36:52+00:00 0fa49c5f7fa03c628c887fe69acbd7da0ec4e585 Previously, it was possible to obtain a stateless reset token for a connection by routing its packet to a wrong worker. This allowed to terminate the connection. The fix is to bind stateless reset token to the worker number. 
Previously, it was possible to obtain a stateless reset token for a
connection by routing its packet to a wrong worker.  This allowed to
terminate the connection.

The fix is to bind stateless reset token to the worker number.
QUIC: Stateless Reset rate limiting. 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-25T17:09:21+00:00 7ac4e6b106ea926b57ccef1ec0fe2559dda7dc5c It uses a bloom filter to limit sending Stateless Reset packets no more than once per second in average for the given address. This allows to address resource asymmetry from precomputed packets, as well as to limit potential Stateless Reset exchange. 
It uses a bloom filter to limit sending Stateless Reset packets no more
than once per second in average for the given address.  This allows to
address resource asymmetry from precomputed packets, as well as to limit
potential Stateless Reset exchange.
QUIC: refactored ngx_quic_address_hash(). 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-25T17:07:01+00:00 e0c5fd912f1cb37fe7a69a61c9fd95d1ebc33c61 Now it accepts an optional salt, to be used in a subsequent change. 
Now it accepts an optional salt, to be used in a subsequent change.