NGINX Plus Release 32 (R32)

29 May 2024
Based on NGINX Open Source 1.25.5

NGINX Plus R32 is a feature release:

  • SSL certificate caching that improves the NGINX startup time and memory usage in cases of configurations with large number of locations with relatively small number of unique certificate/key pairs

  • The stream_pass module that allows passing the accepted connection directly to any configured listening socket in httpstreammail, and other similar modules

  • NGINX Plus official container images

  • Virtual servers in the stream module

  • The deferredaccept_filter, and setfib parameters of the listen directive in the stream module

  • Cache line size detection for some architectures

  • Security fixes:

    • Heap Overflow w/ write (CVE-2024-32760): Undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause other possible impacts

    • Stack Overflow / Use after free (CVE-2024-31079): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over

    • Null Pointer Dereference w/ Empty Header (CVE-2024-35200): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts

    • Memory Disclosure during QUIC handshake (CVE-2024-34161): When the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC messages can cause NGINX worker processes to terminate or cause leakage of previously freed memory

  • Bugfixes:

    • in the MQTT Filter module: malformed packets when using default properties

    • in the zone_sync module: memory leak on configuration reload

    • Unexpected connection closure while using 0-RTT in QUIC

    • Connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes

    • Socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes

    • A socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest

    • A segmentation fault might occur in a worker process if SSL proxying was used along with the image_filter directive and errors with code 415 were redirected with the error_page directive

    • Bugfixes and improvements in HTTP/3

  • New features and bugfixes in njs:

    • setting the Server header for outgoing header

    • QuickJS engine support in CLI

NGINX Plus R32 is supported on:

  • AlmaLinux 8, 9
  • Alpine Linux 3.16, 3.17, 3.18, 3.19
  • Amazon Linux 2 LTS, 2023
  • CentOS 7.4+
  • Debian 11, 12
  • FreeBSD 13, 14
  • Oracle Linux 7.4+, 8.1+, 9
  • RHEL 7.4+, 8.1+, 9.0+
  • Rocky Linux 8, 9
  • SUSE Linux Enterprise Server 12 SP5, 15 SP2
  • Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS

Notes:

  • Ubuntu 24.04 LTS is new in this release
  • CentOS 7 is deprecated
  • RHEL 7 is deprecated
  • Oracle Linux 7 is deprecated
  • FreeBSD 12 is removed
  • OpenTracing dynamic module (package name is nginx-plus-module-opentracing-module) is deprecated
  • ModSecurity WAF dynamic module (package name is nginx-plus-module-modsecurity) reached end of support and is no longer available

More information: Announcing NGINX Plus R32

NGINX Plus R32 Update

This is a security release for NGINX Plus R32.

NGINX Plus R32 P1
14 August 2024

  • Security:

    • In the MQTT Filter module, undisclosed requests can cause an increase in memory resource utilization (CVE-2024-39792)

    • In the MP4 module, a specially crafted mp4 file can cause NGINX worker memory over-read resulting in its termination by using a specially crafted mp4 file (CVE-2024-7347)

  • Various fixes in SSL certificate caching