ProHoster > Blog > internet news > Nginx 1.29.7 and 1.28.3 updates fix six vulnerabilities

Nginx 1.29.7 and 1.28.3 updates fix six vulnerabilities

The main nginx 1.29.7 branch has been released, continuing development of new features. The parallel stable branch, nginx 1.28.3, has also been released, containing only changes related to fixing serious bugs and vulnerabilities. These updates address six vulnerabilities, three of which lead to buffer overflows. Four of these vulnerabilities are rated as high severity (8.8 or 8.5 out of 10).

  • CVE-2026-27654 — A buffer overflow in the ngx_http_dav_module module occurs when processing WebDAV COPY and MOVE requests when the alias directive is used in the "location" blocks. The vulnerability allows file paths to be modified to access files outside the base directory. The issue was identified using the Claude AI model.
  • CVE-2026-27784, CVE-2026-32647 — buffer overflows in the ngx_http_mp4_module module occur when processing specially crafted mp4 files. It is possible that exploitation of this vulnerability may result in more than just a crash.
  • CVE-2026-27651 - NULL pointer dereference when using incorrect CRAM-MD5 or APOP authentication methods.
  • CVE-2026-28753 — the ability to manipulate PTR records in DNS to substitute attacker data into auth_http requests and the XCLIENT command in the SMTP connection to the backend.
  • CVE-2026-28755 - OCSP certificate check result bypass in the stream module.

Among the non-security changes in nginx 1.29.7

  • Added support for the Multipath TCP (MPTCP) protocol, which allows packets to be delivered simultaneously via multiple routes and different network interfaces. The "multipath" parameter has been added to the "listen" directive.
  • The "keepalive" directive used in the "upstream" block now has a "local" parameter. When this parameter is specified, instead of sharing a single connection to a common upstream server referenced in different location and server blocks, each block maintains a separate upstream connection.
  • In the "upstream" block, the "keepalive" directive is enabled by default.
  • When used in proxy mode, the default protocol version is HTTP/1.1 with keep-alive enabled (keep-alive support is enabled by default in the ngx_http_proxy_module module, the value "1.1" is set in the "proxy_http_version" directive, and the default sending of the "Connection" header is stopped). To return to the old behavior, allowing access to backends that support only HTTP/1.0, you should set the following settings: proxy_http_version 1.0; proxy_set_header Connection "Close";

Source: opennet.ru

Add a comment