The main branch of nginx 1.25.4 has been released, within which the development of new features continues. The parallel-maintained stable branch 1.24.x contains only changes related to the elimination of serious bugs and vulnerabilities. In the future, based on the main branch 1.25.x, a stable branch 1.26 will be formed. The project code is written in C and distributed under the BSD license.
The new version fixes two vulnerabilities in the experimental module http_v3_module (disabled by default), which provides support for the HTTP/3 protocol, which uses the QUIC protocol as a transport for HTTP/2. The first vulnerability (CVE-2024-24989) is caused by a null pointer dereference, and the second (CVE-2024-24990) is caused by memory access after freeing (CVE-2024-24990). The changelog states that both vulnerabilities can only lead to a crash when processing specially designed QUIC sessions, but the second vulnerability does not appear to have been analyzed for more serious consequences.
In addition to fixing vulnerabilities, the new version also includes general improvements and fixes to the HTTP/3 implementation, as well as fixes for socket leaks, socket errors, and crashes when using AIO. An issue with prematurely closing connections with unfinished AIO operations during graceful termination of legacy worker processes has been resolved. A crash when redirecting 415 errors using the error_page directive has been fixed, when using SSL-proxying and image_filter directives.
Also, a few days ago, njs 0.8.4, a JavaScript interpreter for web server nginx. The njs interpreter implements ECMAScript standards and allows you to extend nginx's request processing capabilities using configuration scripts. Scripts can be used in the configuration file to define advanced request processing logic, generate configurations, dynamically generate responses, modify requests/responses, or quickly create stubs to resolve issues in web applications. The new version contains only bug fixes.
Source: opennet.ru
