Fedora Security Advisories

*) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might cause worker process memory disclosure to the authentication server (CVE-2025-53859). *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive and "proxy_pass" with a URI were used. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. *) Bugfix: in SSL certificate caching during reconfiguration. *) Bugfix: in delta-seconds processing in the "Cache-Control" backend response header line. *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in HTTP/3.

nginx-1.28.1-1.fc44 nginx-mod-brotli-1.0.0~rc-4.fc44 nginx-mod-fancyindex-0.5.2-13.fc44 nginx-mod-headers-more-0.39-4.fc44 nginx-mod-modsecurity-1.0.4-5.fc44 nginx-mod-naxsi-1.6-12.fc44 nginx-mod-vts-0.2.4-4.fc44

3 days 17 hours ago

FEDORA-2025-530e10091c Packages in this update:

nginx-1.28.1-1.fc44
nginx-mod-brotli-1.0.0~rc-4.fc44
nginx-mod-fancyindex-0.5.2-13.fc44
nginx-mod-headers-more-0.39-4.fc44
nginx-mod-modsecurity-1.0.4-5.fc44
nginx-mod-naxsi-1.6-12.fc44
nginx-mod-vts-0.2.4-4.fc44

Update description:

Changes with nginx 1.28.1 23 Dec 2025

*) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might cause worker process memory disclosure to the authentication server (CVE-2025-53859). *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive and "proxy_pass" with a URI were used. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. *) Bugfix: in SSL certificate caching during reconfiguration. *) Bugfix: in delta-seconds processing in the "Cache-Control" backend response header line. *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in HTTP/3.

nginx-1.28.1-1.fc43 nginx-mod-brotli-1.0.0~rc-4.fc43 nginx-mod-fancyindex-0.5.2-13.fc43 nginx-mod-headers-more-0.39-4.fc43 nginx-mod-modsecurity-1.0.4-5.fc43 nginx-mod-naxsi-1.6-12.fc43 nginx-mod-vts-0.2.4-4.fc43

Fedora Security Advisories

3 days 17 hours ago

FEDORA-2025-8aa169ea14 Packages in this update:

nginx-1.28.1-1.fc43
nginx-mod-brotli-1.0.0~rc-4.fc43
nginx-mod-fancyindex-0.5.2-13.fc43
nginx-mod-headers-more-0.39-4.fc43
nginx-mod-modsecurity-1.0.4-5.fc43
nginx-mod-naxsi-1.6-12.fc43
nginx-mod-vts-0.2.4-4.fc43

Update description:

Changes with nginx 1.28.1 23 Dec 2025

*) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might cause worker process memory disclosure to the authentication server (CVE-2025-53859). *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive and "proxy_pass" with a URI were used. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. *) Bugfix: in SSL certificate caching during reconfiguration. *) Bugfix: in delta-seconds processing in the "Cache-Control" backend response header line. *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in HTTP/3.