The release of the main branch of nginx 1.29.8 has been published, in which the development of new features continues. In parallel, the stable branch 1.28.x is supported, only changes related to the elimination of serious errors and vulnerabilities are made. In the future, the stable branch 1.29 will be formed on the basis of the main branch 1.30.x. The project code is written in C and is distributed under the BSD license.
In the new release:
- The max_headers directive has been added, limiting the maximum number of HTTP headers in a request. If the limit is exceeded, a 400 (Bad Request) error is returned. This feature was ported from FreeNginx.
- Compatibility with the OpenSSL 4.0 library, which is in alpha testing, has been ensured.
- It is allowed to use masks in the "include" directive specified inside the "geo" block.
- Fixed a bug in handling HTTP responses with code 103 (Early Hints) returned by the proxied backend.
- Fixed the non-setting of the $request_port and $is_request_port variables in subrequests.
Additionally, it's worth noting the release of FreeNginx 1.29.8, a fork of Nginx. Development of the fork is being led by Maxim Dunin, one of the key Nginx developers. FreeNginx positions itself as a non-commercial project, ensuring the development of the Nginx codebase without corporate interference. FreeNginx code continues to be released under the BSD license. The new version ensures compatibility with OpenSSL 4.0. A buffer overflow (CVE-2026-27654) in the ngx_http_dav_module module, which occurs when processing WebDAV COPY and MOVE requests when using the "alias" directive in the "location" blocks, has been fixed. The possibility of manipulating PTR records in DNS to substitute attacker data (CVE-2026-28753) in auth_http requests and the XCLIENT command in the SMTP connection to the backend has been eliminated.
Source: opennet.ru
