From pluknet at nginx.com  Wed Aug 13 17:25:31 2025
From: pluknet at nginx.com (Sergey Kandaurov)
Date: Wed, 13 Aug 2025 21:25:31 +0400
Subject: nginx-1.29.1
Message-ID: <6DAF6B24-CC3D-4894-99CB-C56F8A52DED0@nginx.com>

Changes with nginx 1.29.1                                        13 Aug 2025

    *) Security: processing of a specially crafted login/password when using
       the "none" authentication method in the ngx_mail_smtp_module might
       cause worker process memory disclosure to the authentication server
       (CVE-2025-53859).

    *) Change: now TLSv1.3 certificate compression is disabled by default.

    *) Feature: the "ssl_certificate_compression" directive.

    *) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.

    *) Bugfix: the 103 response might be buffered when using HTTP/2 and the
       "early_hints" directive.

    *) Bugfix: in handling "Host" and ":authority" header lines with equal
       values when using HTTP/2; the bug had appeared in 1.17.9.

    *) Bugfix: in handling "Host" header lines with a port when using
       HTTP/3.

    *) Bugfix: nginx could not be built on NetBSD 10.0.

    *) Bugfix: in the "none" parameter of the "smtp_auth" directive.


-- 
Sergey Kandaurov

From fusca14 at gmail.com  Fri Aug 29 00:39:31 2025
From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho)
Date: Thu, 28 Aug 2025 21:39:31 -0300
Subject: [PATCH] Support for Custom HTTP Status Code in deny Directive
Message-ID: <CAPdLF5wm9Rc1fTT4btrt_3Dx0gqZF1g4-ydmG15zVYACThhkHw@mail.gmail.com>

Dear NGINX Open Source Community,

I hope this message finds you well.

Recently, I encountered a use case where I needed the deny directive
from the ngx_http_access_module to return a different HTTP status code
than the default 403 (Forbidden). To address this, I developed a small
patch that allows specifying a custom status code directly in the
directive.

This patch adds support for a second parameter to the deny directive,
enabling the user to define the HTTP return code. At the moment, the
patch supports only 403 (NGX_HTTP_FORBIDDEN) and 404
(NGX_HTTP_NOT_FOUND), but it can easily be modified to accept other
status codes as needed.

I believe this enhancement might be useful for others in similar
situations. The patch is attached for your reference, review and
consideration. I would be grateful if you could consider including it
in the official open source project.

Thank you for your time.
Fabiano Furtado
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ngx_http_access_module.c.patch
Type: text/x-patch
Size: 5212 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20250828/9e529285/attachment-0001.bin>