www/nginx-devel: security update from 1.27.3 to 1.27.4
5f85ff777104
Actions

Description

www/nginx-devel: security update from 1.27.3 to 1.27.4

*) Security: insufficient check in virtual servers handling with TLSv1.3

SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).

*) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",

"proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
"uwsgi_ssl_certificate_cache" directives.

*) Feature: the "keepalive_min_timeout" directive.

*) Workaround: "gzip filter failed to use preallocated memory" alerts

appeared in logs when using zlib-ng.

*) Bugfix: nginx could not build libatomic library using the library

sources if the --with-libatomic=DIR option was used.

*) Bugfix: QUIC connection might not be established when using 0-RTT;

the bug had appeared in 1.27.1.

*) Bugfix: nginx now ignores QUIC version negotiation packets from

clients.

*) Bugfix: nginx could not be built on Solaris 10 and earlier with the

ngx_http_v3_module.

*) Bugfixes in HTTP/3.

</ChangeLog>

Provenance

osa	Authored on Feb 5 2025, 5:13 PM

Parents

R11:421fd5ce7ef5: www/linux-vieb: Update to 12.2.0

Branches

Unknown

Tags

Unknown

Path

Size

www/

nginx-devel/