Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 May 2026 17:13:40 +0000
From:      Jochen Neumeister <joneum@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: ac43d62572eb - main - www/nginx-devel: Update to 1.31.0
Message-ID:  <6a0c9a44.20f82.21ee8f10@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by joneum:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ac43d62572ebc5e338cab9a3558e41761ec8252c

commit ac43d62572ebc5e338cab9a3558e41761ec8252c
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2026-05-19 17:12:01 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2026-05-19 17:13:30 +0000

    www/nginx-devel: Update to 1.31.0
    
    Changes with nginx 1.31.0                                        13 May
    2026
    
        *) Security: when using the "proxy_set_body" directive, an attacker
           might inject data in the proxied request to an HTTP/2 backend
           (CVE-2026-42926).
           Thanks to Mufeed VH of Winfunc Research.
    
        *) Security: a heap memory buffer overflow might occur in a worker
           process while handling a specially crafted request by
           ngx_http_rewrite_module, potentially resulting in arbitrary code
           execution (CVE-2026-42945).
           Thanks to Leo Lin.
    
        *) Security: a heap memory buffer overread might occur in a worker
           process while handling a specially crafted response by
           ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an
    attacker
           to cause a disclosure of worker process memory or segmentation
    fault
           in a worker process (CVE-2026-42946).
           Thanks to Leo Lin.
    
        *) Security: a heap memory buffer overread might occur in a worker
           process while handling a specially sent response with decoding
    from
           UTF-8 via the "charset_map" directive, allowing an attacker to
    cause
           a limited disclosure of worker proccess memory or segmentation
    fault
           in a worker process (CVE-2026-42934).
           Thanks to David Carlier.
    
        *) Security: when using HTTP/3, processing of connection migration
    might
           cause new QUIC streams to receive a new client address before
           validation, allowing an attacker to cause address spoofing
           (CVE-2026-40460).
           Thanks to Rodrigo Laneth.
    
        *) Security: use-after-free might occur during DNS server response
           processing if the "ssl_ocsp" directive was used, allowing an
    attacker
           to cause worker process memory corruption or segmentation fault
    in a
           worker process (CVE-2026-40701).
           Thanks to Leo Lin.
    
        *) Change: now nginx rejects HTTP/2 and HTTP/3 requests with the
           "Connection", "Proxy-Connection", "Keep-Alive",
    "Transfer-Encoding",
           "Upgrade" header lines, and "TE" with any value other than
           "trailers".
    
        *) Change: the ngx_http_dav_module now rejects a COPY or MOVE
    requests
           when the source and destination resources are the same or have a
           parent-child collection relationship.
    
        *) Change: the logging level of the "invalid alert" and "record
    layer
           failure" SSL errors, and of the "SSL alert number N" for any
    alert
           numbers has been lowered from "crit" to "info".
    
        *) Change: now the "sticky" module can be disabled with the
           --without-http_upstream_sticky_module configure option; the
           --without-http_upstream_sticky configure option is deprecated.
    
        *) Feature: the ngx_http_tunnel_module; support for authenticating
    to
           proxies in the "auth_basic", "satisfy", and "auth_delay"
    directives.
    
        *) Feature: the "least_time" directive inside the "upstream" block.
    
        *) Feature: the "proxy_ssl_alpn" directive in the stream module.
    
        *) Bugfix: connections with HTTP/2 backends might not be cached when
           using the "proxy_set_body" or "proxy_pass_request_body"
    directives.
    
        *) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
           transferred incorrectly if the first line was not fully read.
    
    Sponsored by:   Netzkommune GmbH
---
 www/nginx-acme/Makefile    | 2 +-
 www/nginx-acme/distinfo    | 6 +++---
 www/nginx-devel/distinfo   | 6 +++---
 www/nginx-devel/version.mk | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/www/nginx-acme/Makefile b/www/nginx-acme/Makefile
index fe726b685c72..fc55ff2d490c 100644
--- a/www/nginx-acme/Makefile
+++ b/www/nginx-acme/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	acme
 PORTVERSION=	0.3.1
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	https://github.com/nginx/nginx-${PORTNAME}/releases/download/v${PORTVERSION}/:acme \
 		https://nginx.org/download/:nginx
diff --git a/www/nginx-acme/distinfo b/www/nginx-acme/distinfo
index 7eb1950326aa..d6e9b0e4db5f 100644
--- a/www/nginx-acme/distinfo
+++ b/www/nginx-acme/distinfo
@@ -1,10 +1,10 @@
-TIMESTAMP = 1778747884
+TIMESTAMP = 1779047326
 SHA256 (nginx-acme-0.3.1.tar.gz) = be3d3d10f042930a3bf348731698eadb7003d224a863c53b719ccd28721572c3
 SIZE (nginx-acme-0.3.1.tar.gz) = 99486
 SHA256 (nginx-1.30.1.tar.gz) = 99765000d974896b31ca5882d8c279ce3fe7ef6f5c6f9f0a967ed7fd3407f9cc
 SIZE (nginx-1.30.1.tar.gz) = 1325173
-SHA256 (nginx-1.29.8.tar.gz) = 7f1b985dace8fe706dfc288b83927c928f0ae60bcb7507c2d4e0025eca7280c3
-SIZE (nginx-1.29.8.tar.gz) = 1324131
+SHA256 (nginx-1.31.0.tar.gz) = 6d5b00d45393af2e4e7c52a442d2a198f0ccbc7678ed062a46f403edd833ebaa
+SIZE (nginx-1.31.0.tar.gz) = 1337335
 SHA256 (rust/crates/aho-corasick-1.1.4.crate) = ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301
 SIZE (rust/crates/aho-corasick-1.1.4.crate) = 184015
 SHA256 (rust/crates/allocator-api2-0.3.1.crate) = c583acf993cf4245c4acb0a2cc2ab1f9cc097de73411bb6d3647ff6af2b1013d
diff --git a/www/nginx-devel/distinfo b/www/nginx-devel/distinfo
index f9ccc29f09b4..b983f13e28e7 100644
--- a/www/nginx-devel/distinfo
+++ b/www/nginx-devel/distinfo
@@ -1,6 +1,6 @@
-TIMESTAMP = 1777886543
-SHA256 (nginx-1.29.8.tar.gz) = 7f1b985dace8fe706dfc288b83927c928f0ae60bcb7507c2d4e0025eca7280c3
-SIZE (nginx-1.29.8.tar.gz) = 1324131
+TIMESTAMP = 1779012361
+SHA256 (nginx-1.31.0.tar.gz) = 6d5b00d45393af2e4e7c52a442d2a198f0ccbc7678ed062a46f403edd833ebaa
+SIZE (nginx-1.31.0.tar.gz) = 1337335
 SHA256 (nginx_mogilefs_module-1.0.4.tar.gz) = 7ac230d30907f013dff8d435a118619ea6168aa3714dba62c6962d350c6295ae
 SIZE (nginx_mogilefs_module-1.0.4.tar.gz) = 11208
 SHA256 (passenger-6.1.2.tar.gz) = 94400a52e536cfdd8acf2accb47badb7a67dc309452f1b05600da67343f25bf8
diff --git a/www/nginx-devel/version.mk b/www/nginx-devel/version.mk
index 47a6a513c27b..7f62669fe9b4 100644
--- a/www/nginx-devel/version.mk
+++ b/www/nginx-devel/version.mk
@@ -1 +1 @@
-NGINX_VERSION=	1.29.8
+NGINX_VERSION=	1.31.0
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0c9a44.20f82.21ee8f10>