Formed on February 14, 2024, the main branch of Nginx 1.25.4 continues its development of new features and opportunities. Meanwhile, the stable branch 1.24.x receives updates focused on eliminating critical errors and vulnerabilities. Eventually, the stable branch will transition to version 1.26 based on the main branch 1.25.x. Nginx is a project written in SI language and spreads under the BSD license.
The latest version of Nginx includes fixes for two vulnerabilities found in the experimental module called http_v3_module. This module, which is disabled by default, provides support for the HTTP protocol/3 using the QUIC protocol as a transport for http/2. The first vulnerability (CVE-2024-24989) stems from a null pointer dereference, while the second vulnerability (CVE-2024-24990) involves accessing memory after its release. Both vulnerabilities could potentially cause the work process to terminate when processing specially designed QUIC sessions. However, a thorough analysis of the consequences for the second vulnerability has not been conducted yet.
In addition to addressing vulnerabilities, the new version of Nginx includes general improvements and corrections for the implementation of http/3. It also resolves issues related to socket management, juket errors, emergency completion during the use of AIO, and premature closure of connections with incomplete AIO operations. Specifically, the update solves the emergency completion problem when redirecting errors with code 415 using the Error_Page directive in SSL circuit and Image_filter directive scenarios.
Furthermore, Nginx released njs 0.8.4, a JavaScript language interpreter for the Nginx web server. The NJS interpreter adheres to ECMAScript standards and enhances NGINX’s capabilities for request processing through script usage in the configuration. These scripts serve various purposes such as determining advanced request processing logic, configuring settings, dynamically generating responses, modifying requests/responses, or quickly creating solutions for web applications. The new version of njs mainly focuses on error correction.