Nginx 1.28.1 released
So Nginx got its latest update (version 1.28.1). There isn't anything revolutionary announced this time around, but there are some noteworthy changes.
The primary focus seems to be on security and specific bug fixes for real-world setups. The most notable fix tackles a memory disclosure problem in the ngx_mail_smtp_module when using "none" authentication. This problem could've potentially allowed snooping worker process memory under certain conditions. It's welcome news that this vulnerability (tracked as CVE-2025-53859) has now been patched.
Beyond security, several bugs have been resolved to beef up stability and performance. One example is an issue where a worker might crash in some scenarios involving try_files combined with proxy_pass. That's one less thing to worry about. Also addressed were problems related to HTTP/2 header lines, specifically when the "Host" and ":authority" values are equal, along with various HTTP/3 fixes.
Other bug fixes include handling an improperly encoded XCLIENT command and issues surrounding SSL certificate caching during reconfiguration. The Cache-Control backend processing also saw some problem resolution.
On the operational side, nginx now uses Windows SDK 10 for its native binary builds, likely aimed at improving performance on Windows servers there. There's also another update: it should be successfully compilable again on NetBSD 10.0. This release also highlights the HTTP/3 workarounds, which are currently being addressed.
These updates address various aspects of server configuration and operation, including security, specific protocols such as SMTP, core performance issues, and cross-platform compatibility challenges, particularly for Windows and NetBSD users. It's a steady stream of improvements from the team behind nginx.
Release nginx release-1.28.1
nginx-1.28.1 stable version has been released. See official CHANGES-1.28 on nginx.org.
