Release Watcher - nginx release-1.29.7

Release list
-1.30.0	2026-04-14
-1.29.8	2026-04-07
-1.28.3	2026-03-24
-1.29.7	2026-03-24
-1.29.6	2026-03-10
-1.29.5	2026-02-04
-1.28.2	2026-02-04
-1.28.1	2025-12-23
-1.29.4	2025-12-09
-1.29.3	2025-10-28 6m+
-1.29.2	2025-10-07 6m+
-1.29.1	2025-08-13 6m+
-1.29.0	2025-06-25 6m+
-1.28.0	2025-04-24 1y+
-1.27.5	2025-04-16 1y+
-1.26.3	2025-02-05 1y+
-1.27.4	2025-02-05 1y+
-1.27.3	2024-11-26 1y+
-1.27.2	2024-10-29 1y+

nginx-1.29.7 mainline version has been released, introducing two significant updates: support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled. This release also includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

Version bump 1.29.7. by @arut in https://github.com/nginx/nginx/pull/1181
Proxy authentication definitions. by @arut in https://github.com/nginx/nginx/pull/1178
Proxy: reset pending control frames on HTTP/2 upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1135
gRPC: reset buffer chains on upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1136
Multipath TCP support by @pluknet in https://github.com/nginx/nginx/pull/931
Logs: added COMPAT padding to ngx_log_t. by @dplotnikov-f5 in https://github.com/nginx/nginx/pull/1196
Upstream keepalive: enabled keepalive module by default. by @roman-f5 in https://github.com/nginx/nginx/pull/1080
Upstream keepalive: fixed parameter parsing. by @arut in https://github.com/nginx/nginx/pull/1207
Mp4: avoid zero size buffers in output. by @arut in https://github.com/nginx/nginx/pull/1149
Mp4: fixed possible integer overflow on 32-bit platforms. by @arut in https://github.com/nginx/nginx/pull/1209
Dav: destination length validation for COPY and MOVE. by @arut in https://github.com/nginx/nginx/pull/1210
Mail: host validation. by @arut in https://github.com/nginx/nginx/pull/1211
Mail: fixed clearing s->passwd in auth http requests. by @arut in https://github.com/nginx/nginx/pull/1212
Stream: fixed client certificate validation with OCSP. by @arut in https://github.com/nginx/nginx/pull/1213
nginx-1.29.7-RELEASE by @arut in https://github.com/nginx/nginx/pull/1215

New Contributors

@devnexen made their first contribution in https://github.com/nginx/nginx/pull/1135

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.6...release-1.29.7