Editions of NGINX 1.21.0 and NGINX 1.20.1 with a vulnerability elimination

is presented the first release of the new main branch of NGINX 1.21.0, within which the development of new ones will continue opportunities. At the same time, is prepared corrective release of a parallel maintained stable branch 1.20.1, in which only changes are made, Related to eliminate serious errors and vulnerabilities. Next year, on the basis of the main branch 1.21.x, a stable branch will be formed 1.22.

In the new versions, CVE-2021-23017 ) in code to resolve host names in DNS, which can lead to Crash or potentially to perform an attacker code. The problem is manifested by processing certain responses of the DNS server, leading to a single-way buffer overflow. Vulnerability is manifested only when you turn on in the DNS resolver settings using the directive “ resolver “. To make an attack, an attacker must be able to fake UDP packets from the DNS server or get control of the DNS server. Vulnerability is manifested from the release of NGINX 0.6.18. To eliminate the problem in old issues, you can use patch .

Changes in NGINX 1.21.0, not related to security:

  • in the “proxy_ssl_certificate” directives, “proxy_ssl_certificate_key” “grpc_ssl_certificate”, “grpc_ssl_certificate_key”, “uwsgi_ssl_certificate” and “uwsgi_ssl_certificate_key” added support for variables.
  • in mail proxy module Added support for “PipeLining” to transmit multiple POP3 or IMAP requests in one Connection, as well as added a new directive “ max_errors” , defining the maximum number of protocol errors after which the connection will be closed.
  • The “Fastopen” parameter is added to the Stream module, which includes the “TCP Fast Open” mode for listening sockets.
  • solved problems with the screening of specialsters with an automatic redirect with adding to the end of the slash.
  • solved the problem with closing client connections when using SMTP PipeLining.
/Media reports.