Skip to content

Release history

NGINX releases

HTTP and reverse proxy server, mail proxy server, and generic TCP/UDP proxy server.

Back to tool Latest release

All releases

17 shown

Upgrade now
release-1.30.2 Security relevant
RCE / SSRF

Buffer overflow fix

Open
Upgrade now
release-1.31.1 Security relevant
RCE / SSRF

CVE‑2026‑9256 buffer overflow fix

Open
Upgrade now
release-1.30.1 Security relevant
RCE / SSRF Breaking upgrade

HTTP/2 request injection fix

Open
Upgrade now
release-1.31.0 Security relevant
RCE / SSRF Breaking upgrade

CVE fixes + forward proxy

Open
release-1.30.0 Breaking risk
Breaking changes
  • Removed CLOCK_MONOTONIC_FAST support.
Notable features
  • Sticky sessions support for upstreams.
  • Default proxy HTTP version changed to HTTP/1.1 with keep‑alive enabled.
Full changelog

nginx-1.30.0 stable version has been released, incorporating new features and bug fixes from the 1.29.x mainline branch — including Early Hints, HTTP/2 to backend and Encrypted ClientHello, sticky sessions support for upstreams, Multipath TCP support, the default proxy HTTP version set to HTTP/1.1 with keep-alive enabled, and more.

What's Changed

  • Version bump 1.29.0 by @arut in https://github.com/nginx/nginx/pull/632
  • QUIC: silence unknown/reserved transport param "info" messages. by @arut in https://github.com/nginx/nginx/pull/633
  • Fixed -Wunterminated-string-initialization with gcc15. by @arut in https://github.com/nginx/nginx/pull/631
  • HTTP/3: fixed NGX_HTTP_V3_VARLEN_INT_LEN value. by @arut in https://github.com/nginx/nginx/pull/640
  • Win32: couple of platform detection fixes by @bavshin-f5 in https://github.com/nginx/nginx/pull/457
  • QUIC: fixed a typo. by @nandsky in https://github.com/nginx/nginx/pull/638
  • OpenSSL build fixes with various no-opt. by @pluknet in https://github.com/nginx/nginx/pull/634
  • QUIC: fixed sending acknowledgments with limited congestion window. by @pluknet in https://github.com/nginx/nginx/pull/655
  • QUIC: using QUIC API introduced in OpenSSL 3.5. by @pluknet in https://github.com/nginx/nginx/pull/646
  • SSL: support loading keys via OSSL_STORE. by @bavshin-f5 in https://github.com/nginx/nginx/pull/436
  • Core: added support for TCP keepalive parameters on macOS. by @pluknet in https://github.com/nginx/nginx/pull/709
  • HTTP Early Hints by @arut in https://github.com/nginx/nginx/pull/326
  • HTTP/3: indexed field line encoding for "103 Early Hints". by @pluknet in https://github.com/nginx/nginx/pull/746
  • Use NULL instead of 0 as null pointer constant by @ac000 in https://github.com/nginx/nginx/pull/702
  • Upstream: fixed reinit request with gRPC and Early Hints. by @pluknet in https://github.com/nginx/nginx/pull/750
  • QUIC: disabled OpenSSL 3.5 QUIC API support by default. by @pluknet in https://github.com/nginx/nginx/pull/751
  • nginx-1.29.0-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/752
  • PCRE license fix for win32 zip by @pluknet in https://github.com/nginx/nginx/pull/753
  • QUIC: adjusted OpenSSL 3.5 QUIC API feature test. by @pluknet in https://github.com/nginx/nginx/pull/749
  • OPENSSL_VERSION_NUMBER fix for OpenSSL 3.0 by @pluknet in https://github.com/nginx/nginx/pull/775
  • kqueue build fixes by @pluknet in https://github.com/nginx/nginx/pull/777
  • HTTP/3: limited prefixed integers encoded length. by @pluknet in https://github.com/nginx/nginx/pull/124
  • HTTP/3: fixed handling :authority and Host with port. by @arut in https://github.com/nginx/nginx/pull/772
  • HTTP/2: fixed flushing early hints. by @arut in https://github.com/nginx/nginx/pull/808
  • HTTP/2 fixes for ":authority" vs "Host" by @pluknet in https://github.com/nginx/nginx/pull/803
  • Certificate compression by @pluknet in https://github.com/nginx/nginx/pull/788
  • Auth basic: fixed file descriptor leak on memory allocation error. by @pluknet in https://github.com/nginx/nginx/pull/833
  • smtp module fixes by @pluknet in https://github.com/nginx/nginx/pull/842
  • Changes 1.29.1 by @pluknet in https://github.com/nginx/nginx/pull/843
  • Added a previously missed changes entry in 1.29.1 relnotes. by @pluknet in https://github.com/nginx/nginx/pull/844
  • Removed legacy charset directive from default config example. by @MohamedKarrab in https://github.com/nginx/nginx/pull/829
  • QUIC: fixed ssl_reject_handshake error handling. by @pluknet in https://github.com/nginx/nginx/pull/889
  • Updated link to xslscript. by @pluknet in https://github.com/nginx/nginx/pull/854
  • Fixed inaccurate index directive error report by @willmafh in https://github.com/nginx/nginx/pull/881
  • SNI: using ClientHello callback. by @pluknet in https://github.com/nginx/nginx/pull/562
  • AWS-LC support changes by @pluknet in https://github.com/nginx/nginx/pull/848
  • Upstream: overflow detection in Cache-Control delta-seconds. by @pluknet in https://github.com/nginx/nginx/pull/898
  • Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. by @pluknet in https://github.com/nginx/nginx/pull/893
  • Added F5 CLA workflow. by @Maryna-f5 in https://github.com/nginx/nginx/pull/908
  • SSL: fixed "key values mismatch" with object cache inheritance. by @pluknet in https://github.com/nginx/nginx/pull/740
  • nginx-1.29.2 changes by @pluknet in https://github.com/nginx/nginx/pull/919
  • SSL: support for compressed server certificates with BoringSSL. by @pluknet in https://github.com/nginx/nginx/pull/823
  • HTTP CONNECT infrastructure by @arut in https://github.com/nginx/nginx/pull/935
  • Upstream: reset local address in case of error. by @arut in https://github.com/nginx/nginx/pull/942
  • SSL: $ssl_sigalg, $ssl_client_sigalg. by @pluknet in https://github.com/nginx/nginx/pull/932
  • Geo: the "volatile" parameter. by @dplotnikov-f5 in https://github.com/nginx/nginx/pull/943
  • Inheritance control for add_header and add_trailer. by @arut in https://github.com/nginx/nginx/pull/918
  • OCSP: fixed invalid type for the 'ssl_ocsp' directive. by @roman-f5 in https://github.com/nginx/nginx/pull/938
  • Fixed compilation warnings on Windows after c93a0c48af87. by @arut in https://github.com/nginx/nginx/pull/954
  • Modules compatibility: increased compat section size. by @arut in https://github.com/nginx/nginx/pull/952
  • nginx-1.29.3 changes by @arut in https://github.com/nginx/nginx/pull/953
  • Configure: ensure we get the "built by ..." line in nginx -V. by @ac000 in https://github.com/nginx/nginx/pull/905
  • Adding support for pcre 10.47 by @thierryba in https://github.com/nginx/nginx/pull/963
  • SSL: changed interface of ngx_ssl_set_client_hello_callback(). by @pluknet in https://github.com/nginx/nginx/pull/968
  • SSL: fixed build with BoringSSL, broken by 38a701d88. by @pluknet in https://github.com/nginx/nginx/pull/972
  • HTTP/2: extended guard for NULL buffer and zero length. by @pluknet in https://github.com/nginx/nginx/pull/978
  • Validate host by @pluknet in https://github.com/nginx/nginx/pull/966
  • Proxy: fixed segfault in URI change (issue #983). by @pluknet in https://github.com/nginx/nginx/pull/1004
  • OpenSSL ECH integration by @sftcd in https://github.com/nginx/nginx/pull/840
  • Update community health files by @alessfg in https://github.com/nginx/nginx/pull/727
  • SSL: avoid warning when ECH is not configured and not supported. by @QirunGao in https://github.com/nginx/nginx/pull/1011
  • Disabled bare LF in chunked transfer encoding. by @pluknet in https://github.com/nginx/nginx/pull/1016
  • HTTP/2 to upstream by @hongzhidao in https://github.com/nginx/nginx/pull/771
  • Quic: fixed segfault on handshake failure by @jeniksv in https://github.com/nginx/nginx/pull/1022
  • nginx-1.29.4-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1023
  • Fixed duplicate ids in the bug report template. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1035
  • SSL: logging level of the "ech_required" TLS alert. by @arut in https://github.com/nginx/nginx/pull/1038
  • Win32: fixed C4319 warning with MSVC x86. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1057
  • Add a HTTP_HOST parameter to default_params. by @ac000 in https://github.com/nginx/nginx/pull/1031
  • Year 2026. by @pluknet in https://github.com/nginx/nginx/pull/1076
  • Range filter: reasonable limit on multiple ranges. by @pluknet in https://github.com/nginx/nginx/pull/1075
  • Misc: moved documentation in generated ZIP archive. by @pluknet in https://github.com/nginx/nginx/pull/1078
  • Docs: Clarify -t option behavior in nginx man page by @uhliarik in https://github.com/nginx/nginx/pull/1089
  • Proxy v2 request body fixes. by @pluknet in https://github.com/nginx/nginx/pull/1058
  • Updated OpenSSL and PCRE used for win32 builds. by @arut in https://github.com/nginx/nginx/pull/1111
  • Upstream read before write by @arut in https://github.com/nginx/nginx/pull/1112
  • nginx-1.29.5-RELEASE by @arut in https://github.com/nginx/nginx/pull/1113
  • Version bump. by @arut in https://github.com/nginx/nginx/pull/1120
  • Proxy: fixed HTTP/2 upstream with caching enabled. by @hongzhidao in https://github.com/nginx/nginx/pull/1119
  • Fixed separator in parsing header lines with multiple values. by @VadimZhestikov in https://github.com/nginx/nginx/pull/1056
  • SCGI: fixed passing CONTENT_LENGTH in unbuffered mode. by @pluknet in https://github.com/nginx/nginx/pull/1118
  • Mp4: validate sync sample values in stss atom. by @CodeByMoriarty in https://github.com/nginx/nginx/pull/1147
  • Resolver: fixed off-by-one read in ngx_resolver_copy(). by @arut in https://github.com/nginx/nginx/pull/1152
  • QUIC Stateless Reset improvements by @pluknet in https://github.com/nginx/nginx/pull/1151
  • QUIC: fixed bpf compilation with newer Linux kernels. by @arut in https://github.com/nginx/nginx/pull/215
  • Updating welcome page with links and more details. by @buulam in https://github.com/nginx/nginx/pull/1138
  • QUIC: worker-bound stateless reset tokens. by @arut in https://github.com/nginx/nginx/pull/1159
  • QUIC: handle compat keylog callback errors by @lukefr09 in https://github.com/nginx/nginx/pull/1155
  • Added an option to skip the F5 CLA workflow. by @alessfg in https://github.com/nginx/nginx/pull/1153
  • IMAP bugfixes. by @pluknet in https://github.com/nginx/nginx/pull/1161
  • Upstream: added sticky sessions support for upstreams. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1167
  • nginx-1.29.6 changes by @pluknet in https://github.com/nginx/nginx/pull/1177
  • Version bump 1.29.7. by @arut in https://github.com/nginx/nginx/pull/1181
  • Proxy authentication definitions. by @arut in https://github.com/nginx/nginx/pull/1178
  • Proxy: reset pending control frames on HTTP/2 upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1135
  • gRPC: reset buffer chains on upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1136
  • Multipath TCP support by @pluknet in https://github.com/nginx/nginx/pull/931
  • Logs: added COMPAT padding to ngx_log_t. by @dplotnikov-f5 in https://github.com/nginx/nginx/pull/1196
  • Upstream keepalive: enabled keepalive module by default. by @roman-f5 in https://github.com/nginx/nginx/pull/1080
  • Upstream keepalive: fixed parameter parsing. by @arut in https://github.com/nginx/nginx/pull/1207
  • Mp4: avoid zero size buffers in output. by @arut in https://github.com/nginx/nginx/pull/1149
  • Mp4: fixed possible integer overflow on 32-bit platforms. by @arut in https://github.com/nginx/nginx/pull/1209
  • Dav: destination length validation for COPY and MOVE. by @arut in https://github.com/nginx/nginx/pull/1210
  • Mail: host validation. by @arut in https://github.com/nginx/nginx/pull/1211
  • Mail: fixed clearing s->passwd in auth http requests. by @arut in https://github.com/nginx/nginx/pull/1212
  • Stream: fixed client certificate validation with OCSP. by @arut in https://github.com/nginx/nginx/pull/1213
  • nginx-1.29.7-RELEASE by @arut in https://github.com/nginx/nginx/pull/1215
  • Fixed the "include" directive inside the "geo" block. by @jimf5 in https://github.com/nginx/nginx/pull/1184
  • SSL: compatibility with OpenSSL 4.0. by @pluknet in https://github.com/nginx/nginx/pull/1183
  • Update CONTRIBUTING.md by @xuruidong in https://github.com/nginx/nginx/pull/1195
  • Upstream: fixed processing multiple 103 (early hints) responses. by @pluknet in https://github.com/nginx/nginx/pull/1241
  • Removed CLOCK_MONOTONIC_FAST support. by @jimf5 in https://github.com/nginx/nginx/pull/1243
  • Upstream: fix integer underflow in charset parsing by @DavidKorczynski in https://github.com/nginx/nginx/pull/1170
  • Added max_headers directive by @dekobon in https://github.com/nginx/nginx/pull/1116
  • fix $request_port / $is_request_port being empty if auth_request is used by @Zoey2936 in https://github.com/nginx/nginx/pull/1248
  • Upstream: reset early_hints_length on upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1187
  • nginx-1.29.8-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1252
  • nginx-1.30.0-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1268

New Contributors

  • @MohamedKarrab made their first contribution in https://github.com/nginx/nginx/pull/829
  • @willmafh made their first contribution in https://github.com/nginx/nginx/pull/881
  • @dplotnikov-f5 made their first contribution in https://github.com/nginx/nginx/pull/943
  • @roman-f5 made their first contribution in https://github.com/nginx/nginx/pull/938
  • @sftcd made their first contribution in https://github.com/nginx/nginx/pull/840
  • @alessfg made their first contribution in https://github.com/nginx/nginx/pull/727
  • @QirunGao made their first contribution in https://github.com/nginx/nginx/pull/1011
  • @hongzhidao made their first contribution in https://github.com/nginx/nginx/pull/771
  • @jeniksv made their first contribution in https://github.com/nginx/nginx/pull/1022
  • @uhliarik made their first contribution in https://github.com/nginx/nginx/pull/1089
  • @VadimZhestikov made their first contribution in https://github.com/nginx/nginx/pull/1056
  • @CodeByMoriarty made their first contribution in https://github.com/nginx/nginx/pull/1147
  • @buulam made their first contribution in https://github.com/nginx/nginx/pull/1138
  • @lukefr09 made their first contribution in https://github.com/nginx/nginx/pull/1155
  • @devnexen made their first contribution in https://github.com/nginx/nginx/pull/1135
  • @jimf5 made their first contribution in https://github.com/nginx/nginx/pull/1184
  • @xuruidong made their first contribution in https://github.com/nginx/nginx/pull/1195
  • @DavidKorczynski made their first contribution in https://github.com/nginx/nginx/pull/1170
  • @dekobon made their first contribution in https://github.com/nginx/nginx/pull/1116
  • @Zoey2936 made their first contribution in https://github.com/nginx/nginx/pull/1248

Full Changelog: https://github.com/nginx/nginx/compare/release-1.28.3...release-1.30.0

View release on GitHub
release-1.29.8 Breaking risk
Breaking changes
  • Removed CLOCK_MONOTONIC_FAST support
Notable features
  • Added max_headers directive to limit the number of response headers
Full changelog

nginx-1.29.8 mainline version has been released.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Fixed the "include" directive inside the "geo" block. by @jimf5 in https://github.com/nginx/nginx/pull/1184
  • SSL: compatibility with OpenSSL 4.0. by @pluknet in https://github.com/nginx/nginx/pull/1183
  • Update CONTRIBUTING.md by @xuruidong in https://github.com/nginx/nginx/pull/1195
  • Upstream: fixed processing multiple 103 (early hints) responses. by @pluknet in https://github.com/nginx/nginx/pull/1241
  • Removed CLOCK_MONOTONIC_FAST support. by @jimf5 in https://github.com/nginx/nginx/pull/1243
  • Upstream: fix integer underflow in charset parsing by @DavidKorczynski in https://github.com/nginx/nginx/pull/1170
  • Added max_headers directive by @dekobon in https://github.com/nginx/nginx/pull/1116
  • fix $request_port / $is_request_port being empty if auth_request is used by @Zoey2936 in https://github.com/nginx/nginx/pull/1248
  • Upstream: reset early_hints_length on upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1187
  • nginx-1.29.8-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1252

New Contributors

  • @jimf5 made their first contribution in https://github.com/nginx/nginx/pull/1184
  • @xuruidong made their first contribution in https://github.com/nginx/nginx/pull/1195
  • @DavidKorczynski made their first contribution in https://github.com/nginx/nginx/pull/1170
  • @dekobon made their first contribution in https://github.com/nginx/nginx/pull/1116
  • @Zoey2936 made their first contribution in https://github.com/nginx/nginx/pull/1248

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.7...release-1.29.8

View release on GitHub
release-1.28.3 Security relevant
Security fixes
  • CVE-2026-27654 — buffer overflow vulnerability in ngx_http_dav_module
  • CVE-2026-27784 — buffer overflow vulnerability in ngx_http_mp4_module
  • CVE-2026-32647 — buffer overflow vulnerability in ngx_http_mp4_module
Full changelog

nginx-1.28.3 stable version has been released. This release includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES-1.28 on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Release 1.28.3 by @arut in https://github.com/nginx/nginx/pull/1216

Full Changelog: https://github.com/nginx/nginx/compare/release-1.28.2...release-1.28.3

View release on GitHub
release-1.29.7 Security relevant
Security fixes
  • CVE-2026-27654 — buffer overflow in ngx_http_dav_module
  • CVE-2026-27784 — buffer overflow in ngx_http_mp4_module
  • CVE-2026-32647 — buffer overflow in ngx_http_mp4_module
Notable features
  • Multipath TCP support added
  • HTTP/1.1 keep‑alive enabled by default for upstream connections
Full changelog

nginx-1.29.7 mainline version has been released, introducing two significant updates: support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled. This release also includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Version bump 1.29.7. by @arut in https://github.com/nginx/nginx/pull/1181
  • Proxy authentication definitions. by @arut in https://github.com/nginx/nginx/pull/1178
  • Proxy: reset pending control frames on HTTP/2 upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1135
  • gRPC: reset buffer chains on upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1136
  • Multipath TCP support by @pluknet in https://github.com/nginx/nginx/pull/931
  • Logs: added COMPAT padding to ngx_log_t. by @dplotnikov-f5 in https://github.com/nginx/nginx/pull/1196
  • Upstream keepalive: enabled keepalive module by default. by @roman-f5 in https://github.com/nginx/nginx/pull/1080
  • Upstream keepalive: fixed parameter parsing. by @arut in https://github.com/nginx/nginx/pull/1207
  • Mp4: avoid zero size buffers in output. by @arut in https://github.com/nginx/nginx/pull/1149
  • Mp4: fixed possible integer overflow on 32-bit platforms. by @arut in https://github.com/nginx/nginx/pull/1209
  • Dav: destination length validation for COPY and MOVE. by @arut in https://github.com/nginx/nginx/pull/1210
  • Mail: host validation. by @arut in https://github.com/nginx/nginx/pull/1211
  • Mail: fixed clearing s->passwd in auth http requests. by @arut in https://github.com/nginx/nginx/pull/1212
  • Stream: fixed client certificate validation with OCSP. by @arut in https://github.com/nginx/nginx/pull/1213
  • nginx-1.29.7-RELEASE by @arut in https://github.com/nginx/nginx/pull/1215

New Contributors

  • @devnexen made their first contribution in https://github.com/nginx/nginx/pull/1135

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.6...release-1.29.7

View release on GitHub
release-1.29.6 New feature
Notable features
  • Sticky session support for upstream servers
Full changelog

nginx-1.29.6 mainline version has been released, featuring sticky sessions support for upstreams.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Version bump. by @arut in https://github.com/nginx/nginx/pull/1120
  • Proxy: fixed HTTP/2 upstream with caching enabled. by @hongzhidao in https://github.com/nginx/nginx/pull/1119
  • Fixed separator in parsing header lines with multiple values. by @VadimZhestikov in https://github.com/nginx/nginx/pull/1056
  • SCGI: fixed passing CONTENT_LENGTH in unbuffered mode. by @pluknet in https://github.com/nginx/nginx/pull/1118
  • Mp4: validate sync sample values in stss atom. by @CodeByMoriarty in https://github.com/nginx/nginx/pull/1147
  • Resolver: fixed off-by-one read in ngx_resolver_copy(). by @arut in https://github.com/nginx/nginx/pull/1152
  • QUIC Stateless Reset improvements by @pluknet in https://github.com/nginx/nginx/pull/1151
  • QUIC: fixed bpf compilation with newer Linux kernels. by @arut in https://github.com/nginx/nginx/pull/215
  • Updating welcome page with links and more details. by @buulam in https://github.com/nginx/nginx/pull/1138
  • QUIC: worker-bound stateless reset tokens. by @arut in https://github.com/nginx/nginx/pull/1159
  • QUIC: handle compat keylog callback errors by @lukefr09 in https://github.com/nginx/nginx/pull/1155
  • Added an option to skip the F5 CLA workflow. by @alessfg in https://github.com/nginx/nginx/pull/1153
  • IMAP bugfixes. by @pluknet in https://github.com/nginx/nginx/pull/1161
  • Upstream: added sticky sessions support for upstreams. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1167
  • nginx-1.29.6 changes by @pluknet in https://github.com/nginx/nginx/pull/1177

New Contributors

  • @VadimZhestikov made their first contribution in https://github.com/nginx/nginx/pull/1056
  • @CodeByMoriarty made their first contribution in https://github.com/nginx/nginx/pull/1147
  • @buulam made their first contribution in https://github.com/nginx/nginx/pull/1138
  • @lukefr09 made their first contribution in https://github.com/nginx/nginx/pull/1155

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.5...release-1.29.6

View release on GitHub
release-1.29.5 Security relevant
Security fixes
  • CVE-2026-1642 — fixed SSL upstream injection vulnerability
Notable features
  • Added HTTP_HOST parameter to default_params
Full changelog

nginx-1.29.5 mainline version has been released. This release includes a security fix for the SSL upstream injection vulnerability (CVE-2026-1642). See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Fixed duplicate ids in the bug report template. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1035
  • SSL: logging level of the "ech_required" TLS alert. by @arut in https://github.com/nginx/nginx/pull/1038
  • Win32: fixed C4319 warning with MSVC x86. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1057
  • Add a HTTP_HOST parameter to default_params. by @ac000 in https://github.com/nginx/nginx/pull/1031
  • Year 2026. by @pluknet in https://github.com/nginx/nginx/pull/1076
  • Range filter: reasonable limit on multiple ranges. by @pluknet in https://github.com/nginx/nginx/pull/1075
  • Misc: moved documentation in generated ZIP archive. by @pluknet in https://github.com/nginx/nginx/pull/1078
  • Docs: Clarify -t option behavior in nginx man page by @uhliarik in https://github.com/nginx/nginx/pull/1089
  • Proxy v2 request body fixes. by @pluknet in https://github.com/nginx/nginx/pull/1058
  • Updated OpenSSL and PCRE used for win32 builds. by @arut in https://github.com/nginx/nginx/pull/1111
  • Upstream read before write by @arut in https://github.com/nginx/nginx/pull/1112
  • nginx-1.29.5-RELEASE by @arut in https://github.com/nginx/nginx/pull/1113

New Contributors

  • @uhliarik made their first contribution in https://github.com/nginx/nginx/pull/1089

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.4...release-1.29.5

View release on GitHub
release-1.28.2 Security relevant
Security fixes
  • CVE-2026-1642 — SSL upstream injection vulnerability
Full changelog

nginx-1.28.2 stable version has been released. This release includes a security fix for the SSL upstream injection vulnerability (CVE-2026-1642). See official CHANGES-1.28 on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Nginx 1.28.2 by @arut in https://github.com/nginx/nginx/pull/1114

Full Changelog: https://github.com/nginx/nginx/compare/release-1.28.1...release-1.28.2

View release on GitHub
release-1.28.1 Maintenance

Minor fixes and improvements.

Full changelog

nginx-1.28.1 stable version has been released. See official CHANGES-1.28 on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • nginx-1.28.1 by @pluknet in https://github.com/nginx/nginx/pull/1052

Full Changelog: https://github.com/nginx/nginx/compare/release-1.28.0...release-1.28.1

View release on GitHub
release-1.29.4 New feature
Notable features
  • HTTP/2 support for upstream backend connections
Full changelog

nginx-1.29.4 mainline version has been released, featuring HTTP/2 to backend and Encrypted Client Hello (ECH). For more details, please refer to the blog post.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Configure: ensure we get the "built by ..." line in nginx -V. by @ac000 in https://github.com/nginx/nginx/pull/905
  • Adding support for pcre 10.47 by @thierryba in https://github.com/nginx/nginx/pull/963
  • SSL: changed interface of ngx_ssl_set_client_hello_callback(). by @pluknet in https://github.com/nginx/nginx/pull/968
  • SSL: fixed build with BoringSSL, broken by 38a701d88. by @pluknet in https://github.com/nginx/nginx/pull/972
  • HTTP/2: extended guard for NULL buffer and zero length. by @pluknet in https://github.com/nginx/nginx/pull/978
  • Validate host by @pluknet in https://github.com/nginx/nginx/pull/966
  • Proxy: fixed segfault in URI change (issue #983). by @pluknet in https://github.com/nginx/nginx/pull/1004
  • OpenSSL ECH integration by @sftcd in https://github.com/nginx/nginx/pull/840
  • Update community health files by @alessfg in https://github.com/nginx/nginx/pull/727
  • SSL: avoid warning when ECH is not configured and not supported. by @QirunGao in https://github.com/nginx/nginx/pull/1011
  • Disabled bare LF in chunked transfer encoding. by @pluknet in https://github.com/nginx/nginx/pull/1016
  • HTTP/2 to upstream by @hongzhidao in https://github.com/nginx/nginx/pull/771
  • Quic: fixed segfault on handshake failure by @jeniksv in https://github.com/nginx/nginx/pull/1022
  • nginx-1.29.4-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1023

New Contributors

  • @sftcd made their first contribution in https://github.com/nginx/nginx/pull/840
  • @alessfg made their first contribution in https://github.com/nginx/nginx/pull/727
  • @QirunGao made their first contribution in https://github.com/nginx/nginx/pull/1011
  • @hongzhidao made their first contribution in https://github.com/nginx/nginx/pull/771
  • @jeniksv made their first contribution in https://github.com/nginx/nginx/pull/1022

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.3...release-1.29.4

View release on GitHub
release-1.29.3 New feature
Notable features
  • Support for compressed server certificates with BoringSSL in SSL
  • HTTP CONNECT infrastructure introduced
  • Upstream reset local address on error
Full changelog

nginx-1.29.3 mainline version has been released. See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • SSL: support for compressed server certificates with BoringSSL. by @pluknet in https://github.com/nginx/nginx/pull/823
  • HTTP CONNECT infrastructure by @arut in https://github.com/nginx/nginx/pull/935
  • Upstream: reset local address in case of error. by @arut in https://github.com/nginx/nginx/pull/942
  • SSL: $ssl_sigalg, $ssl_client_sigalg. by @pluknet in https://github.com/nginx/nginx/pull/932, initial work by @willmafh in https://github.com/nginx/nginx/pull/554
  • Geo: the "volatile" parameter. by @dplotnikov-f5 in https://github.com/nginx/nginx/pull/943
  • Inheritance control for add_header and add_trailer. by @arut in https://github.com/nginx/nginx/pull/918
  • OCSP: fixed invalid type for the 'ssl_ocsp' directive. by @roman-f5 in https://github.com/nginx/nginx/pull/938
  • Fixed compilation warnings on Windows after c93a0c48af87. by @arut in https://github.com/nginx/nginx/pull/954
  • Modules compatibility: increased compat section size. by @arut in https://github.com/nginx/nginx/pull/952
  • nginx-1.29.3 changes by @arut in https://github.com/nginx/nginx/pull/953

New Contributors

  • @dplotnikov-f5 made their first contribution in https://github.com/nginx/nginx/pull/943
  • @roman-f5 made their first contribution in https://github.com/nginx/nginx/pull/938

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.2...release-1.29.3

View release on GitHub
release-1.29.2 Breaking risk
Notable features
  • Added F5 CLA workflow
  • AWS-LC support changes
Full changelog

nginx-1.29.2 mainline version has been released. See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Added a previously missed changes entry in 1.29.1 relnotes. by @pluknet in https://github.com/nginx/nginx/pull/844
  • Removed legacy charset directive from default config example. by @MohamedKarrab in https://github.com/nginx/nginx/pull/829
  • QUIC: fixed ssl_reject_handshake error handling. by @pluknet in https://github.com/nginx/nginx/pull/889
  • Updated link to xslscript. by @pluknet in https://github.com/nginx/nginx/pull/854
  • Fixed inaccurate index directive error report by @willmafh in https://github.com/nginx/nginx/pull/881
  • SNI: using ClientHello callback. by @pluknet in https://github.com/nginx/nginx/pull/562
  • AWS-LC support changes by @pluknet in https://github.com/nginx/nginx/pull/848
  • Upstream: overflow detection in Cache-Control delta-seconds. by @pluknet in https://github.com/nginx/nginx/pull/898
  • Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. by @pluknet in https://github.com/nginx/nginx/pull/893
  • Added F5 CLA workflow. by @Maryna-f5 in https://github.com/nginx/nginx/pull/908
  • SSL: fixed "key values mismatch" with object cache inheritance. by @pluknet in https://github.com/nginx/nginx/pull/740
  • nginx-1.29.2 changes by @pluknet in https://github.com/nginx/nginx/pull/919

New Contributors

  • @MohamedKarrab made their first contribution in https://github.com/nginx/nginx/pull/829
  • @willmafh made their first contribution in https://github.com/nginx/nginx/pull/881

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.1...release-1.29.2

View release on GitHub
release-1.29.1 Security relevant
Security fixes
  • CVE-2025-53859 — vulnerability fixed in ngx_mail_smtp_module
Notable features
  • Adjusted QUIC API feature test for OpenSSL 3.5
  • Limited prefixed integers encoded length in HTTP/3
  • Fixed handling of :authority and Host with port in HTTP/3
Full changelog

nginx-1.29.1 mainline version has been released. This release includes a security fix for the vulnerability in the ngx_mail_smtp_module (CVE-2025-53859). See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • PCRE license fix for win32 zip by @pluknet in https://github.com/nginx/nginx/pull/753
  • QUIC: adjusted OpenSSL 3.5 QUIC API feature test. by @pluknet in https://github.com/nginx/nginx/pull/749
  • OPENSSL_VERSION_NUMBER fix for OpenSSL 3.0 by @pluknet in https://github.com/nginx/nginx/pull/775
  • kqueue build fixes by @pluknet in https://github.com/nginx/nginx/pull/777
  • HTTP/3: limited prefixed integers encoded length. by @pluknet in https://github.com/nginx/nginx/pull/124
  • HTTP/3: fixed handling :authority and Host with port. by @arut in https://github.com/nginx/nginx/pull/772
  • HTTP/2: fixed flushing early hints. by @arut in https://github.com/nginx/nginx/pull/808
  • HTTP/2 fixes for ":authority" vs "Host" by @pluknet in https://github.com/nginx/nginx/pull/803
  • Certificate compression by @pluknet in https://github.com/nginx/nginx/pull/788
  • Auth basic: fixed file descriptor leak on memory allocation error. by @pluknet in https://github.com/nginx/nginx/pull/833
  • smtp module fixes by @pluknet in https://github.com/nginx/nginx/pull/842
  • Changes 1.29.1 by @pluknet in https://github.com/nginx/nginx/pull/843

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.0...release-1.29.1

View release on GitHub
release-1.29.0 New feature
Notable features
  • Added support for HTTP Early Hints (103 status) in both HTTP/2 and HTTP/3.
  • Core: added TCP keepalive parameters on macOS.
Full changelog

nginx-1.29.0 mainline version has been released, featuring Early Hints support. See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • Version bump 1.29.0 by @arut in https://github.com/nginx/nginx/pull/632
  • QUIC: silence unknown/reserved transport param "info" messages. by @arut in https://github.com/nginx/nginx/pull/633
  • Fixed -Wunterminated-string-initialization with gcc15. by @arut in https://github.com/nginx/nginx/pull/631
  • HTTP/3: fixed NGX_HTTP_V3_VARLEN_INT_LEN value. by @arut in https://github.com/nginx/nginx/pull/640
  • Win32: couple of platform detection fixes by @bavshin-f5 in https://github.com/nginx/nginx/pull/457
  • QUIC: fixed a typo. by @nandsky in https://github.com/nginx/nginx/pull/638
  • OpenSSL build fixes with various no-opt. by @pluknet in https://github.com/nginx/nginx/pull/634
  • QUIC: fixed sending acknowledgments with limited congestion window. by @pluknet in https://github.com/nginx/nginx/pull/655
  • QUIC: using QUIC API introduced in OpenSSL 3.5. by @pluknet in https://github.com/nginx/nginx/pull/646
  • SSL: support loading keys via OSSL_STORE. by @bavshin-f5 in https://github.com/nginx/nginx/pull/436
  • Core: added support for TCP keepalive parameters on macOS. by @pluknet in https://github.com/nginx/nginx/pull/709
  • HTTP Early Hints by @arut in https://github.com/nginx/nginx/pull/326
  • HTTP/3: indexed field line encoding for "103 Early Hints". by @pluknet in https://github.com/nginx/nginx/pull/746
  • Use NULL instead of 0 as null pointer constant by @ac000 in https://github.com/nginx/nginx/pull/702
  • Upstream: fixed reinit request with gRPC and Early Hints. by @pluknet in https://github.com/nginx/nginx/pull/750
  • QUIC: disabled OpenSSL 3.5 QUIC API support by default. by @pluknet in https://github.com/nginx/nginx/pull/751
  • nginx-1.29.0-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/752

New Contributors

  • @ac000 made their first contribution in https://github.com/nginx/nginx/pull/702

Full Changelog: https://github.com/nginx/nginx/compare/release-1.27.5...release-1.29.0

View release on GitHub

Beta — feedback welcome: [email protected]