The main branch of nginx 1.27.1 has been released, within which the development of new features continues, as well as the release of the parallel supported stable branch of nginx 1.22.1, which only includes changes related to the elimination of serious errors and vulnerabilities. The updates fix a vulnerability (CVE-2024-7347) in the ngx_http_mp4_module module, which leads to an abnormal termination of the workflow when processing a specially formatted MP4 file. The problem appears starting from release 1.5.13 when building nginx with the ngx_http_mp4_module module (not built by default) and using the mp4 directive in the settings. To fix the vulnerability in older versions, you can use a patch.
In addition to the vulnerability, the nginx 1.27.1 release also fixed errors in the implementation of the HTTP/3 protocol, moved the handler in the stream module to the category of optional, and solved the problem with ignoring new HTTP/2 connections when worker processes terminate smoothly.
Source: opennet.ru
