From xeioex at nginx.com Tue Jan 14 22:42:40 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 14 Jan 2025 14:42:40 -0800 Subject: [nginx-announce] njs-0.8.9 Message-ID: <431b8dce-757c-44c5-92c9-5ab62987ea86@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced file system module for QuickJS engine. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.9                                       14 Jan 2025     nginx modules:     *) Bugfix: removed extra VM creation per server.        Previously, when js_import was declared in http or stream blocks,        an extra copy of the VM instance was created for each server        block. This was not needed and consumed a lot of memory for        configurations with many server blocks.       This issue was introduced in 9b674412 (0.8.6) and was partially       fixed for location blocks only in 685b64f0 (0.8.7).     Core:     *) Feature: added fs module for QuickJS engine. From pluknet at nginx.com Wed Feb 5 17:10:26 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 5 Feb 2025 21:10:26 +0400 Subject: [nginx-announce] nginx-1.27.4 Message-ID: <0E16E13D-9D78-45F2-86DC-247504F56A7E@nginx.com> Changes with nginx 1.27.4 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Feb 5 17:10:40 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 5 Feb 2025 21:10:40 +0400 Subject: [nginx-announce] nginx-1.26.3 Message-ID: <049AC7E4-93D2-41C0-8E27-799A823A2BD3@nginx.com> Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From f5sirt at F5.com Wed Feb 5 17:23:12 2025 From: f5sirt at F5.com (F5SIRT) Date: Wed, 5 Feb 2025 17:23:12 +0000 Subject: [nginx-announce] nginx security advisory (CVE-2025-23419) Message-ID: A problem with SSL session resumption in nginx was identified. It was possible to reuse SSL sessions in named-based virtual hosts in unrelated contexts, allowing to bypass client certificate authentication in some configurations (CVE-2025-23419). The problem affects nginx 1.11.4 and newer built with OpenSSL if the TLSv1.3 protocol and session resumption are enabled either with ssl_session_cache or ssl_session_tickets. The problem is fixed in 1.26.3 and 1.27.4. From xeioex at nginx.com Tue Apr 8 21:56:43 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 8 Apr 2025 14:56:43 -0700 Subject: [nginx-announce] njs-0.8.10 Message-ID: <8d6f0793-da67-4453-905a-54154a4dff2c@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced WebCrypto API, TextEncoder, TextDecoder, crypto, querystring, xml modules for QuickJS engine. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.10                                          08 Apr 2025     nginx modules:     *) Feature: reading r.requestText or r.requestBuffer from        a temp file.        Previously, an exception was thrown when accessing r.requestText        or r.requestBuffer if a client request body size exceeded        client_body_buffer_size.     *) Improvement: improved reporting of unhandled promise rejections.     *) Bugfix: fixed name corruption in variable and header processing.     *) Bugfix: fixed SharedDict.incr() with empty init argument        for QuickJS engine.     *) Bugfix: accepting response headers with underscore characters        in Fetch API.     Core:     *) Change: fixed serializeToString().        Previously, serializeToString() was exclusiveC14n() which returned        string instead of Buffer. According to the published documentation it        should be c14n().     *) Feature: added WebCrypto API for QuickJS engine.     *) Feature: added TextEncoder/TextDecoder for QuickJS engine.     *) Feature: added querystring module for QuickJS engine.     *) Feature: added crypto module for QuickJS engine.     *) Feature: added xml module for QuickJS engine.     *) Feature: added support for QuickJS-NG library.     *) Bugfix: fixed buffer.concat() with a single argument in quickjs.     *) Bugfix: added missed syntax error for await in template literal.     *) Bugfix: fixed non-NULL terminated strings formatting in        exceptions for QuickJS engine.     *) Bugfix: fixed compatibility with recent change in QuickJS        and QuickJS-NG. From pluknet at nginx.com Wed Apr 16 14:14:14 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 16 Apr 2025 18:14:14 +0400 Subject: [nginx-announce] nginx-1.27.5 Message-ID: Changes with nginx 1.27.5 16 Apr 2025 *) Feature: CUBIC congestion control in QUIC connections. *) Change: the maximum size limit for SSL sessions cached in shared memory has been raised to 8192. *) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file", and "uwsgi_ssl_password_file" directives when loading SSL certificates and encrypted keys from variables; the bug had appeared in 1.23.1. *) Bugfix: in the $ssl_curve and $ssl_curves variables when using pluggable curves in OpenSSL. *) Bugfix: nginx could not be built with musl libc. Thanks to Piotr Sikora. *) Performance improvements and bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Apr 23 13:59:44 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 23 Apr 2025 17:59:44 +0400 Subject: [nginx-announce] nginx-1.28.0 Message-ID: <32590AE5-B964-4954-BDDE-E46B9FF65E9C@nginx.com> Changes with nginx 1.28.0 23 Apr 2025 *) 1.28.x stable branch. *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or ngx_http_v3_module modules were used. *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto optimization if ngx_http_v3_module was used. -- Sergey Kandaurov From xeioex at nginx.com Tue May 6 19:36:18 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 6 May 2025 12:36:18 -0700 Subject: [nginx-announce] njs-0.9.0 Message-ID: <9afcc87c-9be3-4625-87a2-cd147c2b9f24@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release features a 30% performance improvement for the njs engine and support for GCC 15. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.9.0                                       06 May 2025      Core:      *) Feature: refactored working with built-in strings, symbols         and small integers.         Performance improvements (arewefastyet/benchmarks/v8-v7 benchmark):         Richards: +57% (631 → 989)         Crypto: +7% (1445 → 1551)         RayTrace: +37% (562 → 772)         NavierStokes: +20% (2062 → 2465)         Overall score: +29% (1014 → 1307)     *) Bugfix: fixed handling of undefined values of a captured group        in RegExp.prototype[Symbol.split]().     *) Bugfix: fixed GCC 15 build with -Wunterminated-string-initialization. From pluknet at nginx.com Tue Jun 24 19:01:05 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Tue, 24 Jun 2025 23:01:05 +0400 Subject: [nginx-announce] nginx-1.29.0 Message-ID: <69FAFB79-EB7F-488A-97E4-05A52BD3F2D9@nginx.com> Changes with nginx 1.29.0 24 Jun 2025 *) Feature: support for response code 103 from proxy and gRPC backends; the "early_hints" directive. *) Feature: loading of secret keys from hardware tokens with OpenSSL provider. *) Feature: support for the "so_keepalive" parameter of the "listen" directive on macOS. *) Change: the logging level of SSL errors in a QUIC handshake has been changed from "error" to "crit" for critical errors, and to "info" for the rest; the logging level of unsupported QUIC transport parameters has been lowered from "info" to "debug". *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or ngx_http_v3_module modules were used. *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto optimization if ngx_http_v3_module was used. *) Bugfixes and improvements in HTTP/3. -- Sergey Kandaurov From xeioex at nginx.com Thu Jul 10 21:38:24 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Thu, 10 Jul 2025 14:38:24 -0700 Subject: [nginx-announce] njs-0.9.1 Message-ID: <63fe06e0-4533-470c-9f59-ac764bf7cf3d@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release adds Fetch API support to the QuickJS engine, bringing it to feature parity with njs. Additionally, the shared dictionary now includes state file support, allowing its contents to persist across nginx restarts. Read more about QuickJS support:     https://blog.nginx.org/blog/quickjs-engine-support-for-njs Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.9.1                                       10 Jul 2025     nginx modules:     *) Feature: added Fetch API for QuickJS engine.     *) Feature: added state file for a shared dictionary.     *) Bugfix: fixed handling of Content-Length header when        a body is provided for Fetch API.     *) Bugfix: fixed qjs engine after bellard/quickjs at 458c34d2.     *) Bugfix: fixed NULL pointer dereference when processing        If-* headers.     Core:     *) Feature: added ECDH support for WebCrypto.     *) Improvement: reduced memory consumption by the object hash.        The new hash uses 42% less memory per element.     *) Improvement: reduced memory consumption for concatenation of        numbers and strings.     *) Improvement: reduced memory consumption of        String.prototype.concat() with scalar values.     *) Bugfix: fixed segfault in njs_property_query().        The issue was introduced in b28e50b1 (0.9.0).     *) Bugfix: fixed Function constructor template injection.     *) Bugfix: fixed GCC compilation with O3 optimization level.     *) Bugfix: fixed constant is too large for 'long' warning        on MIPS -mabi=n32.     *) Bugfix: fixed compilation with GCC 4.1.     *) Bugfix: fixed %TypedArray%.from() with the buffer is detached        by the mapper.     *) Bugfix: fixed %TypedArray%.prototype.slice() with overlapping        buffers.     *) Bugfix: fixed handling of detached buffers for typed arrays.     *) Bugfix: fixed frame saving for async functions with        closures.     *) Bugfix: fixed RegExp compilation of patterns with        escaped '[' characters. From pluknet at nginx.com Wed Aug 13 17:19:56 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 13 Aug 2025 21:19:56 +0400 Subject: [nginx-announce] nginx security advisory (CVE-2025-53859) Message-ID: <42BC2566-479A-4E13-9B73-763F15D9723D@nginx.com> A security issue was identified in ngx_mail_smtp_module, which might allow an attacker to cause buffer over-read, potentially resulting in sensitive information leak in a HTTP request to the authentication server (CVE-2025-53859). The issue happens during the SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects nginx 0.7.22-1.29.0. The issue is fixed in nginx 1.29.1. For older versions, any of the following measures can be used as a temporary workaround: (1) disable the "none" parameter in the "smtp_auth" directive. (2) remove the "Auth-Wait" header line in the authentication server response. Patch for the issue can be found here: https://nginx.org/download/patch.2025.smtp.txt -- Sergey Kandaurov From pluknet at nginx.com Wed Aug 13 17:25:27 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 13 Aug 2025 21:25:27 +0400 Subject: [nginx-announce] nginx-1.29.1 Message-ID: <5B491885-D049-435F-8C6B-7733D21F1F36@nginx.com> Changes with nginx 1.29.1 13 Aug 2025 *) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might cause worker process memory disclosure to the authentication server (CVE-2025-53859). *) Change: now TLSv1.3 certificate compression is disabled by default. *) Feature: the "ssl_certificate_compression" directive. *) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer. *) Bugfix: the 103 response might be buffered when using HTTP/2 and the "early_hints" directive. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in the "none" parameter of the "smtp_auth" directive. -- Sergey Kandaurov