From xeioex at nginx.com Tue Jan 14 22:42:40 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 14 Jan 2025 14:42:40 -0800 Subject: [nginx-announce] njs-0.8.9 Message-ID: <431b8dce-757c-44c5-92c9-5ab62987ea86@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced file system module for QuickJS engine. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.9                                       14 Jan 2025     nginx modules:     *) Bugfix: removed extra VM creation per server.        Previously, when js_import was declared in http or stream blocks,        an extra copy of the VM instance was created for each server        block. This was not needed and consumed a lot of memory for        configurations with many server blocks.       This issue was introduced in 9b674412 (0.8.6) and was partially       fixed for location blocks only in 685b64f0 (0.8.7).     Core:     *) Feature: added fs module for QuickJS engine. From pluknet at nginx.com Wed Feb 5 17:10:26 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 5 Feb 2025 21:10:26 +0400 Subject: [nginx-announce] nginx-1.27.4 Message-ID: <0E16E13D-9D78-45F2-86DC-247504F56A7E@nginx.com> Changes with nginx 1.27.4 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Feb 5 17:10:40 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 5 Feb 2025 21:10:40 +0400 Subject: [nginx-announce] nginx-1.26.3 Message-ID: <049AC7E4-93D2-41C0-8E27-799A823A2BD3@nginx.com> Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From f5sirt at F5.com Wed Feb 5 17:23:12 2025 From: f5sirt at F5.com (F5SIRT) Date: Wed, 5 Feb 2025 17:23:12 +0000 Subject: [nginx-announce] nginx security advisory (CVE-2025-23419) Message-ID: A problem with SSL session resumption in nginx was identified. It was possible to reuse SSL sessions in named-based virtual hosts in unrelated contexts, allowing to bypass client certificate authentication in some configurations (CVE-2025-23419). The problem affects nginx 1.11.4 and newer built with OpenSSL if the TLSv1.3 protocol and session resumption are enabled either with ssl_session_cache or ssl_session_tickets. The problem is fixed in 1.26.3 and 1.27.4.