The first release of the new main branch nginx 1.21.0 is presented, within which the development of new features will continue. At the same time, a corrective release of the parallel-maintained stable branch 1.20.1 was prepared, in which only changes related to the elimination of serious bugs and vulnerabilities are made. Next year, the 1.21 stable branch will be formed from the 1.22.x main branch.
The new versions fix a vulnerability (CVE-2021-23017) in DNS hostname resolution code that could lead to a crash or potentially execution of attacker code. The problem manifests itself in the handling of certain DNS server responses resulting in a one-byte buffer overflow. The vulnerability appears only when the DNS resolver is enabled in the settings using the βresolverβ directive. To carry out an attack, an attacker must be able to spoof UDP packets from a DNS server or gain control of a DNS server. The vulnerability has been manifest since the release of nginx 0.6.18. You can use a patch to fix the problem in older releases.
Non-security changes in nginx 1.21.0:
- Support for variables has been added to the "proxy_ssl_certificate", "proxy_ssl_certificate_key" "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate" and "uwsgi_ssl_certificate_key" directives.
- Support for "pipelining" has been added to the mail proxy module to send multiple POP3 or IMAP requests on the same connection, and a new "max_errors" directive has been added to define the maximum number of protocol errors after which the connection will be closed.
- The "fastopen" parameter has been added to the stream module, enabling the "TCP Fast Open" mode for listening sockets.
- Fixed issues with escaping special characters during automatic redirect with a slash added to the end.
- Fixed an issue with client connections being closed when using SMTP pipelining.
Source: opennet.ru