Site Navigation

Date:      Thu, 26 Mar 2026 21:22:39 +0000
From:      Jochen Neumeister <joneum@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: f657cf702d5b - main - www/nginx-devel: Update to 1.29.7
Message-ID:  <69c5a39f.31673.6b80df79@gitrepo.freebsd.org>

---

index | next in thread | raw e-mail

---

The branch main has been updated by joneum:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f657cf702d5b0409bcc74cd36f89ac563dae84ce

commit f657cf702d5b0409bcc74cd36f89ac563dae84ce
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2026-03-26 21:21:01 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2026-03-26 21:22:26 +0000

    www/nginx-devel: Update to 1.29.7
    
    Changes with nginx 1.29.7                                        24 Mar
    2026
    
        *) Security: a buffer overflow might occur while handling a COPY or
    MOVE
           request in a location with "alias", allowing an attacker to
    modify
           the source or destination path outside of the document root
           (CVE-2026-27654).
           Thanks to Calif.io in collaboration with Claude and Anthropic
           Research.
    
        *) Security: processing of a specially crafted mp4 file by the
           ngx_http_mp4_module on 32-bit platforms might cause a worker
    process
           crash, or might have potential other impact (CVE-2026-27784).
           Thanks to Prabhav Srinath (sprabhav7).
    
        *) Security: processing of a specially crafted mp4 file by the
           ngx_http_mp4_module might cause a worker process crash, or might
    have
           potential other impact (CVE-2026-32647).
           Thanks to Xint Code and Pavel Kohout (Aisle Research).
    
        *) Security: a segmentation fault might occur in a worker process if
    the
           CRAM-MD5 or APOP authentication methods were used and
    authentication
           retry was enabled (CVE-2026-27651).
           Thanks to Arkadi Vainbrand.
    
        *) Security: an attacker might use PTR DNS records to inject data in
           auth_http requests, as well as in the XCLIENT command in the
    backend
           SMTP connection (CVE-2026-28753).
           Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu
    (Yunnan
           University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
           University).
    
        *) Security: SSL handshake might succeed despite OCSP rejecting a
    client
           certificate in the stream module (CVE-2026-28755).
           Thanks to Mufeed VH of Winfunc Research.
    
        *) Feature: the "multipath" parameter of the "listen" directive.
    
        *) Feature: the "local" parameter of the "keepalive" directive in
    the
           "upstream" block.
    
        *) Change: now the "keepalive" directive in the "upstream" block is
           enabled by default.
    
        *) Change: now ngx_http_proxy_module supports keepalive by default;
    the
           default value for "proxy_http_version" is "1.1"; the "Connection"
           proxy header is not sent by default anymore.
    
        *) Bugfix: an invalid HTTP/2 request might be sent after switching
    to
           the next upstream if buffered body was used in the
           ngx_http_grpc_module.
    
    Changes with nginx 1.29.6                                        10 Mar
    2026
    
        *) Feature: session affinity support; the "sticky" directive in the
           "upstream" block of the "http" module; the "server" directive
           supports the "route" and "drain" parameters.
    
        *) Change: now nginx limits the size and rate of QUIC stateless
    reset
           packets.
    
        *) Bugfix: receiving a QUIC packet by a wrong worker process could
    cause
           the connection to terminate.
    
        *) Bugfix: "[crit] cache file ... contains invalid header" messages
           might appear in logs when sending a cached HTTP/2 response.
    
        *) Bugfix: proxying to scgi backends might not work when using
    chunked
           transfer encoding and the "scgi_request_buffering" directive.
           Thanks to Mufeed VH.
    
        *) Bugfix: in the ngx_http_mp4_module.
           Thanks to Andrew Lacambra.
    
        *) Bugfix: nginx treated a comma as separator in the "Cookie"
    request
           header line when evaluating "$cookie_..." variables.
    
        *) Bugfix: in IMAP command literal argument parsing.
    
    Sponsored by:   Netzkommune GmbH
---
 www/nginx-acme/Makefile    | 2 +-
 www/nginx-acme/distinfo    | 6 +++---
 www/nginx-devel/Makefile   | 2 +-
 www/nginx-devel/distinfo   | 6 +++---
 www/nginx-devel/version.mk | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/www/nginx-acme/Makefile b/www/nginx-acme/Makefile
index 3dc37bbb0ded..191dda6ebd91 100644
--- a/www/nginx-acme/Makefile
+++ b/www/nginx-acme/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	acme
 PORTVERSION=	0.1.1
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	https://github.com/nginx/nginx-${PORTNAME}/releases/download/v${PORTVERSION}/:acme \
 		https://nginx.org/download/:nginx
diff --git a/www/nginx-acme/distinfo b/www/nginx-acme/distinfo
index 1d91ca6f9b3f..102fdda548c9 100644
--- a/www/nginx-acme/distinfo
+++ b/www/nginx-acme/distinfo
@@ -1,10 +1,10 @@
-TIMESTAMP = 1774553068
+TIMESTAMP = 1774559764
 SHA256 (nginx-acme-0.1.1.tar.gz) = c2158d7f9baa53a9186c406e82c3068832f03b87a1d1066b0d214a8bf834ddfd
 SIZE (nginx-acme-0.1.1.tar.gz) = 77853
 SHA256 (nginx-1.28.3.tar.gz) = 2c96a946bfb0882a21744ed429770a2123ae1828c7c48665092993ddee91a918
 SIZE (nginx-1.28.3.tar.gz) = 1284562
-SHA256 (nginx-1.29.5.tar.gz) = 6744768a4114880f37b13a0443244e731bcb3130c0a065d7e37d8fd589ade374
-SIZE (nginx-1.29.5.tar.gz) = 1310203
+SHA256 (nginx-1.29.7.tar.gz) = 673f8fb8c0961c44fbd9410d6161831453609b44063d3f2948253fc2b5692139
+SIZE (nginx-1.29.7.tar.gz) = 1323485
 SHA256 (rust/crates/addr2line-0.24.2.crate) = dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1
 SIZE (rust/crates/addr2line-0.24.2.crate) = 39015
 SHA256 (rust/crates/adler2-2.0.1.crate) = 320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa
diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile
index ae280e855b9c..52dc99ad6181 100644
--- a/www/nginx-devel/Makefile
+++ b/www/nginx-devel/Makefile
@@ -1,7 +1,7 @@
 PORTNAME?=	nginx
 PORTVERSION=	${NGINX_VERSION}
 .include "version.mk"
-PORTREVISION=	2
+PORTREVISION=	0
 CATEGORIES=	www
 MASTER_SITES=	https://nginx.org/download/ \
 		LOCAL/osa
diff --git a/www/nginx-devel/distinfo b/www/nginx-devel/distinfo
index cdfb287a2005..68b43978f53c 100644
--- a/www/nginx-devel/distinfo
+++ b/www/nginx-devel/distinfo
@@ -1,6 +1,6 @@
-TIMESTAMP = 1774541643
-SHA256 (nginx-1.29.5.tar.gz) = 6744768a4114880f37b13a0443244e731bcb3130c0a065d7e37d8fd589ade374
-SIZE (nginx-1.29.5.tar.gz) = 1310203
+TIMESTAMP = 1774559735
+SHA256 (nginx-1.29.7.tar.gz) = 673f8fb8c0961c44fbd9410d6161831453609b44063d3f2948253fc2b5692139
+SIZE (nginx-1.29.7.tar.gz) = 1323485
 SHA256 (nginx_mogilefs_module-1.0.4.tar.gz) = 7ac230d30907f013dff8d435a118619ea6168aa3714dba62c6962d350c6295ae
 SIZE (nginx_mogilefs_module-1.0.4.tar.gz) = 11208
 SHA256 (passenger-6.1.2.tar.gz) = 94400a52e536cfdd8acf2accb47badb7a67dc309452f1b05600da67343f25bf8
diff --git a/www/nginx-devel/version.mk b/www/nginx-devel/version.mk
index 379cc0056bca..964722b0f419 100644
--- a/www/nginx-devel/version.mk
+++ b/www/nginx-devel/version.mk
@@ -1 +1 @@
-NGINX_VERSION=	1.29.5
+NGINX_VERSION=	1.29.7

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c5a39f.31673.6b80df79>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact