From xeioex at nginx.com Tue Jan 14 22:42:40 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 14 Jan 2025 14:42:40 -0800 Subject: [nginx-announce] njs-0.8.9 Message-ID: <431b8dce-757c-44c5-92c9-5ab62987ea86@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced file system module for QuickJS engine. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.9                                       14 Jan 2025     nginx modules:     *) Bugfix: removed extra VM creation per server.        Previously, when js_import was declared in http or stream blocks,        an extra copy of the VM instance was created for each server        block. This was not needed and consumed a lot of memory for        configurations with many server blocks.       This issue was introduced in 9b674412 (0.8.6) and was partially       fixed for location blocks only in 685b64f0 (0.8.7).     Core:     *) Feature: added fs module for QuickJS engine. From pluknet at nginx.com Wed Feb 5 17:10:26 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 5 Feb 2025 21:10:26 +0400 Subject: [nginx-announce] nginx-1.27.4 Message-ID: <0E16E13D-9D78-45F2-86DC-247504F56A7E@nginx.com> Changes with nginx 1.27.4 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Feb 5 17:10:40 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 5 Feb 2025 21:10:40 +0400 Subject: [nginx-announce] nginx-1.26.3 Message-ID: <049AC7E4-93D2-41C0-8E27-799A823A2BD3@nginx.com> Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov From f5sirt at F5.com Wed Feb 5 17:23:12 2025 From: f5sirt at F5.com (F5SIRT) Date: Wed, 5 Feb 2025 17:23:12 +0000 Subject: [nginx-announce] nginx security advisory (CVE-2025-23419) Message-ID: A problem with SSL session resumption in nginx was identified. It was possible to reuse SSL sessions in named-based virtual hosts in unrelated contexts, allowing to bypass client certificate authentication in some configurations (CVE-2025-23419). The problem affects nginx 1.11.4 and newer built with OpenSSL if the TLSv1.3 protocol and session resumption are enabled either with ssl_session_cache or ssl_session_tickets. The problem is fixed in 1.26.3 and 1.27.4. From xeioex at nginx.com Tue Apr 8 21:56:43 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 8 Apr 2025 14:56:43 -0700 Subject: [nginx-announce] njs-0.8.10 Message-ID: <8d6f0793-da67-4453-905a-54154a4dff2c@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release introduced WebCrypto API, TextEncoder, TextDecoder, crypto, querystring, xml modules for QuickJS engine. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.8.10                                          08 Apr 2025     nginx modules:     *) Feature: reading r.requestText or r.requestBuffer from        a temp file.        Previously, an exception was thrown when accessing r.requestText        or r.requestBuffer if a client request body size exceeded        client_body_buffer_size.     *) Improvement: improved reporting of unhandled promise rejections.     *) Bugfix: fixed name corruption in variable and header processing.     *) Bugfix: fixed SharedDict.incr() with empty init argument        for QuickJS engine.     *) Bugfix: accepting response headers with underscore characters        in Fetch API.     Core:     *) Change: fixed serializeToString().        Previously, serializeToString() was exclusiveC14n() which returned        string instead of Buffer. According to the published documentation it        should be c14n().     *) Feature: added WebCrypto API for QuickJS engine.     *) Feature: added TextEncoder/TextDecoder for QuickJS engine.     *) Feature: added querystring module for QuickJS engine.     *) Feature: added crypto module for QuickJS engine.     *) Feature: added xml module for QuickJS engine.     *) Feature: added support for QuickJS-NG library.     *) Bugfix: fixed buffer.concat() with a single argument in quickjs.     *) Bugfix: added missed syntax error for await in template literal.     *) Bugfix: fixed non-NULL terminated strings formatting in        exceptions for QuickJS engine.     *) Bugfix: fixed compatibility with recent change in QuickJS        and QuickJS-NG. From pluknet at nginx.com Wed Apr 16 14:14:14 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 16 Apr 2025 18:14:14 +0400 Subject: [nginx-announce] nginx-1.27.5 Message-ID: Changes with nginx 1.27.5 16 Apr 2025 *) Feature: CUBIC congestion control in QUIC connections. *) Change: the maximum size limit for SSL sessions cached in shared memory has been raised to 8192. *) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file", and "uwsgi_ssl_password_file" directives when loading SSL certificates and encrypted keys from variables; the bug had appeared in 1.23.1. *) Bugfix: in the $ssl_curve and $ssl_curves variables when using pluggable curves in OpenSSL. *) Bugfix: nginx could not be built with musl libc. Thanks to Piotr Sikora. *) Performance improvements and bugfixes in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Apr 23 13:59:44 2025 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 23 Apr 2025 17:59:44 +0400 Subject: [nginx-announce] nginx-1.28.0 Message-ID: <32590AE5-B964-4954-BDDE-E46B9FF65E9C@nginx.com> Changes with nginx 1.28.0 23 Apr 2025 *) 1.28.x stable branch. *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or ngx_http_v3_module modules were used. *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto optimization if ngx_http_v3_module was used. -- Sergey Kandaurov From xeioex at nginx.com Tue May 6 19:36:18 2025 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 6 May 2025 12:36:18 -0700 Subject: [nginx-announce] njs-0.9.0 Message-ID: <9afcc87c-9be3-4625-87a2-cd147c2b9f24@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release features a 30% performance improvement for the njs engine and support for GCC 15. Learn more about njs: - Overview and introduction:       https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration:       https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code:       https://youtu.be/0CVhq4AUU7M - Using node modules with njs:       https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files:       https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:       https://github.com/nginx/njs/issues Additional examples and howtos can be found here: - Github:       https://github.com/nginx/njs-examples Changes with njs 0.9.0                                       06 May 2025      Core:      *) Feature: refactored working with built-in strings, symbols         and small integers.         Performance improvements (arewefastyet/benchmarks/v8-v7 benchmark):         Richards: +57% (631 → 989)         Crypto: +7% (1445 → 1551)         RayTrace: +37% (562 → 772)         NavierStokes: +20% (2062 → 2465)         Overall score: +29% (1014 → 1307)     *) Bugfix: fixed handling of undefined values of a captured group        in RegExp.prototype[Symbol.split]().     *) Bugfix: fixed GCC 15 build with -Wunterminated-string-initialization.