Code:
Changes with nginx 1.28.2 04 Feb 2026
*) Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.
Code:
Changes with nginx 1.29.5 04 Feb 2026
*) Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
*) Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream.
*) Bugfix: a response with multiple ranges might be larger than the
source response.
*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and
uwsgi backends.
*) Bugfix: fixed warning when compiling with MSVC 2022 x86.
*) Change: the logging level of the "ech_required" SSL error has been
lowered from "crit" to "info".