Change8

release-1.29.7

📦 nginxView on GitHub →
4 features🐛 13 fixes🔧 7 symbols

Summary

Nginx 1.29.7 introduces support for Multipath TCP and defaults upstream connections to HTTP/1.1 with keep-alive enabled, alongside numerous security fixes across several modules.

Migration Steps

  1. Users relying on specific HTTP/1.0 behavior or explicit non-keep-alive upstream connections might need configuration review due to HTTP/1.1 with keep-alive becoming the default for upstreams.

✨ New Features

  • Added support for Multipath TCP.
  • Upgraded the default HTTP version to HTTP/1.1 with keep-alive enabled for upstream connections.
  • Added proxy authentication definitions.
  • Enabled keepalive module by default for upstream connections.

🐛 Bug Fixes

  • Fixed buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654).
  • Fixed buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647).
  • Fixed mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753).
  • Fixed OCSP result bypass vulnerability in stream (CVE-2026-28755).
  • Reset pending control frames on HTTP/2 upstream reinitialization.
  • Reset buffer chains on gRPC upstream reinitialization.
  • Fixed parameter parsing for upstream keepalive.
  • Avoided zero size buffers in mp4 output.
  • Fixed possible integer overflow in mp4 module on 32-bit platforms.
  • Added destination length validation for COPY and MOVE operations in Dav module.
  • Added host validation in Mail module.
  • Fixed clearing of s->passwd in mail auth http requests.
  • Fixed client certificate validation with OCSP in Stream module.

Affected Symbols

ngx_http_dav_modulengx_http_mp4_modulengx_log_tHTTP/2 upstreamgRPC upstreamMail authenticationStream client certificate validation
nginx release-1.29.7 - Change8