Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2026-05-16 19:24:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Sat May 16 19:24:18 2026 rev:112 rq:1353077 version:1.31.0 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2026-04-08 17:14:16.908347438 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new.1966/nginx.changes 2026-05-16 19:25:12.067697117 +0200 @@ -1,0 +2,72 @@ +Wed May 13 18:36:19 UTC 2026 - Marcus Rueckert <[email protected]> + +- Updated to 1.31.0 ( boo#1265228 boo#1265229 boo#1265230 + boo#1265231 boo#1265232 boo#1265233 ) + *) Security: when using the "proxy_set_body" directive, an + attacker might inject data in the proxied request to an HTTP/2 + backend (CVE-2026-42926). Thanks to Mufeed VH of Winfunc + Research. + *) Security: a heap memory buffer overflow might occur in a worker + process while handling a specially crafted request by + ngx_http_rewrite_module, potentially resulting in arbitrary + code execution (CVE-2026-42945). Thanks to Leo Lin. + *) Security: a heap memory buffer overread might occur in a worker + process while handling a specially crafted response by + ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an + attacker to cause a disclosure of worker process memory or + segmentation fault in a worker process (CVE-2026-42946). + Thanks to Leo Lin. + *) Security: a heap memory buffer overread might occur in a worker + process while handling a specially sent response with decoding + from UTF-8 via the "charset_map" directive, allowing an + attacker to cause a limited disclosure of worker proccess + memory or segmentation fault in a worker process + (CVE-2026-42934). Thanks to David Carlier. + *) Security: when using HTTP/3, processing of connection migration + might cause new QUIC streams to receive a new client address + before validation, allowing an attacker to cause address + spoofing (CVE-2026-40460). Thanks to Rodrigo Laneth. + *) Security: use-after-free might occur during DNS server response + processing if the "ssl_ocsp" directive was used, allowing an + attacker to cause worker process memory corruption or + segmentation fault in a worker process (CVE-2026-40701). + Thanks to Leo Lin. + *) Change: now nginx rejects HTTP/2 and HTTP/3 requests with the + "Connection", "Proxy-Connection", "Keep-Alive", "Transfer-Encoding", + "Upgrade" header lines, and "TE" with any value other than + "trailers". + *) Change: the ngx_http_dav_module now rejects a COPY or MOVE + requests when the source and destination resources are the + same or have a parent-child collection relationship. + *) Change: the logging level of the "invalid alert" and "record + layer failure" SSL errors, and of the "SSL alert number N" for + any alert numbers has been lowered from "crit" to "info". + *) Change: now the "sticky" module can be disabled with the + --without-http_upstream_sticky_module configure option; the + --without-http_upstream_sticky configure option is deprecated. + *) Feature: the ngx_http_tunnel_module; support for + authenticating to proxies in the "auth_basic", "satisfy", and + "auth_delay" directives. + *) Feature: the "least_time" directive inside the "upstream" block. + *) Feature: the "proxy_ssl_alpn" directive in the stream module. + *) Bugfix: connections with HTTP/2 backends might not be cached + when using the "proxy_set_body" or "proxy_pass_request_body" + directives. + *) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might + be transferred incorrectly if the first line was not fully + read. + +------------------------------------------------------------------- +Tue Apr 14 16:36:29 UTC 2026 - Marcus Rueckert <[email protected]> + +- Updated to 1.30.0 + - nginx-1.30.0 stable version has been released, incorporating + new features and bug fixes from the 1.29.x mainline branch — + including Early Hints, HTTP/2 to backend and Encrypted + ClientHello, sticky sessions support for upstreams, Multipath + TCP support, the default proxy HTTP version set to HTTP/1.1 + with keep-alive enabled, and more. + * https://nginx.org/en/CHANGES + * https://github.com/nginx/nginx/releases/tag/release-1.30.0 + +------------------------------------------------------------------- Old: ---- nginx-1.29.8.tar.gz nginx-1.29.8.tar.gz.asc New: ---- nginx-1.31.0.tar.gz nginx-1.31.0.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.KMYDbs/_old 2026-05-16 19:25:13.991775862 +0200 +++ /var/tmp/diff_new_pack.KMYDbs/_new 2026-05-16 19:25:13.995776026 +0200 @@ -24,7 +24,7 @@ %bcond_with awslc # Name: nginx -Version: 1.29.8 +Version: 1.31.0 Release: 0 Summary: A HTTP server and IMAP/POP3 proxy server License: BSD-2-Clause ++++++ nginx-1.29.8.tar.gz -> nginx-1.31.0.tar.gz ++++++ ++++ 3773 lines of diff (skipped)
