Published master branch release nginx 1.29.8, where new features are being developed. In a parallel stable branch 1.28.x Only changes related to fixing serious bugs and vulnerabilities are being made. The stable 1.30 branch will later be formed on the basis of the main 1.29.x branch. The project code is written in C and spreads under the BSD license.
В new release:
- Directive added max_headers, which limits the maximum number of HTTP headers in a request. If the limit is exceeded, a 400 (Bad Request) error is returned. This feature was ported from FreeNginx.
- Compatibility with the OpenSSL 4.0 library, which is currently in development, has been ensured. alpha testing.
- It is allowed to use masks in the include directive specified inside the "geo" block.
- Fixed a bug in handling HTTP responses with code 103 (Early Hints) returned by the proxied backend.
- Fixed the non-setting of the $request_port and $is_request_port variables in subrequests.
Additionally, the publication of the project release can be noted. FreeNginx 1.29.7, developing fork Nginx. The fork is being developed by Maxim Dunin, one of the key Nginx developers. FreeNginx is positioned as a non-commercial project, ensuring the development of the Nginx codebase without corporate interference. FreeNginx code continues to be released under the BSD license. new version Compatibility with OpenSSL 4.0 has been ensured. A buffer overflow (CVE-2026-27654) has been fixed in the ngx_http_dav_module module. This occurred when processing WebDAV COPY and MOVE requests when using the alias directive in location blocks. A potential attacker-initiated PTR record manipulation (CVE-2026-28753) in auth_http requests and the XCLIENT command in the SMTP connection to the backend has been eliminated.
Source: linux.org.ru
