The main branch of nginx 1.25.4 has been released, within which the development of new features continues. The parallel-maintained stable branch 1.24.x contains only changes related to the elimination of serious bugs and vulnerabilities. In the future, based on the main branch 1.25.x, a stable branch 1.26 will be formed. The project code is written in C and distributed under the BSD license.
The new version fixes two vulnerabilities in the experimental module http_v3_module (disabled by default), which provides support for the HTTP/3 protocol, which uses the QUIC protocol as a transport for HTTP/2. The first vulnerability (CVE-2024-24989) is caused by a null pointer dereference, and the second (CVE-2024-24990) is caused by memory access after freeing (CVE-2024-24990). The changelog states that both vulnerabilities can only lead to a crash when processing specially designed QUIC sessions, but the second vulnerability does not appear to have been analyzed for more serious consequences.
In addition to addressing vulnerabilities, the new version also includes general improvements and fixes to the HTTP/3 implementation, and fixes bugs related to socket leaks, socket errors, or crashes when using AIO. Resolved an issue with connections with pending AIO operations being closed prematurely during soft shutdown of old worker processes. Fixed a crash when redirecting errors with code 415 using the error_page directive when using SSL proxying and the image_filter directive.
In addition, a few days ago, njs 0.8.4, a JavaScript interpreter for the nginx web server, was released. The njs interpreter implements ECMAScript standards and allows you to expand nginx's ability to process requests using scripts in the configuration. Scripts can be used in a configuration file to define advanced logic for processing requests, generating a configuration, dynamically generating a response, modifying a request/response, or quickly creating stubs to solve problems in web applications. The new version contains only bug fixes.
Source: opennet.ru