The first release of the new main branch of nginx 1.27.0 has been presented, within which the development of new features will continue. At the same time, nginx 1.26.1 was released, which belongs to the parallel supported stable branch, which only includes changes related to the elimination of serious errors and vulnerabilities. Next year, based on the main branch 1.27.x, a stable branch 1.28 will be formed. The project code is written in C and distributed under the BSD license.
The new releases fix 4 vulnerabilities affecting the experimental ngx_http_v3 module (disabled by default), which provides support for the HTTP/3 protocol using the QUIC protocol as a transport for HTTP/2. Problems appear only when the ngx_http_v3_module module is activated and the “quic” option is set in the “listen” directive. There is no word yet on the vulnerability of the Angie and FreeNginx forks.
The CVE-2024-34161 vulnerability causes worker process memory to leak on systems with an MTU value greater than 4096 bytes. A memory leak occurs when CRYPTO frames used in connection negotiation are sent after the client sends the finalization message.
The CVE-2024-31079, CVE-2024-32760, and CVE-2024-35200 memory corruption vulnerabilities allow a remote attacker to crash an nginx worker process by establishing a specially crafted session based on the QUIC protocol. At the same time, for vulnerabilities CVE-2024-31079 and CVE-2024-32760, other consequences of the attack cannot be excluded (the potential possibility of executing the attacker’s code?). Details are not given, but judging by the corrections in the code, the vulnerabilities are caused by accessing already freed memory (use-after-free), incorrect memory allocation for an array, null pointer dereference and lack of proper checking of the size of data placed in the buffer.
Among the changes not related to the elimination of vulnerabilities in nginx 1.27.0:
- Support for specifying variables has been added to the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate" and "uwsgi_limit_rate" directives.
- Reduced memory consumption when processing long-lived requests in configurations that use the "gzip", "gunzip", "ssi", "sub_filter" or "grpc_pass" directives.
- Resolved problems with reset in GCC 14 when using the "--with-atomic" option.
- Errors in HTTP/3 implementation have been fixed.
Additionally, we can note the publication of the new main branch of FreeNginx 1.27.0, a fork of Nginx developed by Maxim Dunin, one of the key developers of Nginx. FreeNginx is positioned as a non-profit project that provides development of the Nginx code base without corporate intervention. The new version has improved error handling when reading the request body, improved assembly in NetBSD 10.0, and improved writing of PID files (the “off” parameter has been added to the “pid” directive).
Source: opennet.ru
