nginx
nginx-1.31.0 mainline version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701). Additionally, the release features support for HTTP forward proxy.
See official CHANGES on nginx.org.
Below is a release summary generated by GitHub.
What's Changed
- GH: add a workflow to check for the 'version bump' commit by @ac000 in https://github.com/nginx/nginx/pull/1240
- Connection specific headers by @arut in https://github.com/nginx/nginx/pull/1257
- Updated OpenSSL used for win32 builds. by @pluknet in https://github.com/nginx/nginx/pull/1269
- SSL: logging level fixes. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1258
- Changes in ngx_quic_cbs_recv_rcd() by @pluknet in https://github.com/nginx/nginx/pull/1279
- SSL: log SSL_R_RECORD_LAYER_FAILURE at info level by @Smeet23 in https://github.com/nginx/nginx/pull/1267
- Restrict duplicate TE headers in HTTP/2 and HTTP/3. by @arut in https://github.com/nginx/nginx/pull/1275
- HTTP/3: optimize encoder stream memory usage by @arut in https://github.com/nginx/nginx/pull/1274
- Stream: support ALPN for proxy_ssl upstream. by @VadimZhestikov in https://github.com/nginx/nginx/pull/1109
- Prevent Undefined Behaviour in memcpy(3) via ngx_init_cycle() by @ac000 in https://github.com/nginx/nginx/pull/1082
- GH: Add various bits of GitHub automation by @ac000 in https://github.com/nginx/nginx/pull/1172
- Configure: added synonym for the upstream sticky module option by @hyuan-netizen in https://github.com/nginx/nginx/pull/1292
- Stream: evaluate proxy_ssl_alpn once by @pluknet in https://github.com/nginx/nginx/pull/1304
- Request body: fixed empty body buffering special case. by @pluknet in https://github.com/nginx/nginx/pull/977
- Configure: fix gcc version detection in some corner cases by @ac000 in https://github.com/nginx/nginx/pull/1305
- Upstream: least_time load balancing for HTTP and stream. by @saikrishnakumarreddy in https://github.com/nginx/nginx/pull/1306
- Dav: improved path validation for COPY and MOVE operations by @saikrishnakumarreddy in https://github.com/nginx/nginx/pull/1307
- Proxy: fix keepalive for HTTP/2 when no body is specified by @arut in https://github.com/nginx/nginx/pull/1314
- GH: update the stale PR/issue workflow by @ac000 in https://github.com/nginx/nginx/pull/1315
- HTTP CONNECT proxy. by @arut in https://github.com/nginx/nginx/pull/707
- Reject HTTP CONNECT method with no port after colon by @pluknet in https://github.com/nginx/nginx/pull/1335
- GH: set new issues creation date by @ac000 in https://github.com/nginx/nginx/pull/1272
- nginx-1.31.0-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1350
New Contributors
- @Smeet23 made their first contribution in https://github.com/nginx/nginx/pull/1267
- @hyuan-netizen made their first contribution in https://github.com/nginx/nginx/pull/1292
- @saikrishnakumarreddy made their first contribution in https://github.com/nginx/nginx/pull/1306
Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.8...release-1.31.0