From pluknet at nginx.com  Wed Feb  5 17:10:19 2025
From: pluknet at nginx.com (Sergey Kandaurov)
Date: Wed, 5 Feb 2025 21:10:19 +0400
Subject: nginx-1.27.4
Message-ID: <CE05777B-8C97-4250-9110-781A58910AAE@nginx.com>

Changes with nginx 1.27.4                                        05 Feb 2025

    *) Security: insufficient check in virtual servers handling with TLSv1.3
       SNI allowed to reuse SSL sessions in a different virtual server, to
       bypass client SSL certificates verification (CVE-2025-23419).

    *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",
       "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
       "uwsgi_ssl_certificate_cache" directives.

    *) Feature: the "keepalive_min_timeout" directive.

    *) Workaround: "gzip filter failed to use preallocated memory" alerts
       appeared in logs when using zlib-ng.

    *) Bugfix: nginx could not build libatomic library using the library
       sources if the --with-libatomic=DIR option was used.

    *) Bugfix: QUIC connection might not be established when using 0-RTT;
       the bug had appeared in 1.27.1.

    *) Bugfix: nginx now ignores QUIC version negotiation packets from
       clients.

    *) Bugfix: nginx could not be built on Solaris 10 and earlier with the
       ngx_http_v3_module.

    *) Bugfixes in HTTP/3.


-- 
Sergey Kandaurov

From pluknet at nginx.com  Wed Feb  5 17:10:33 2025
From: pluknet at nginx.com (Sergey Kandaurov)
Date: Wed, 5 Feb 2025 21:10:33 +0400
Subject: nginx-1.26.3
Message-ID: <BA13626A-F01C-4061-A336-FAB1859CD50A@nginx.com>

Changes with nginx 1.26.3                                        05 Feb 2025

    *) Security: insufficient check in virtual servers handling with TLSv1.3
       SNI allowed to reuse SSL sessions in a different virtual server, to
       bypass client SSL certificates verification (CVE-2025-23419).

    *) Bugfix: in the ngx_http_mp4_module.
       Thanks to Nils Bars.

    *) Workaround: "gzip filter failed to use preallocated memory" alerts
       appeared in logs when using zlib-ng.

    *) Bugfix: nginx could not build libatomic library using the library
       sources if the --with-libatomic=DIR option was used.

    *) Bugfix: nginx now ignores QUIC version negotiation packets from
       clients.

    *) Bugfix: nginx could not be built on Solaris 10 and earlier with the
       ngx_http_v3_module.

    *) Bugfixes in HTTP/3.


-- 
Sergey Kandaurov