Nginx 1.29.8 and FreeNginx Launch with Critical Security Shields

Within the nginx ecosystem, a dual release has emerged, impacting both the project’s primary development branch and its prominent independent fork. The developers continue to refine functional capabilities while simultaneously remediating vulnerabilities that jeopardize server integrity.

The latest iteration, nginx 1.29.8, belongs to the mainline branch where novel features are introduced. Concurrently, the 1.28.x legacy line receives only critical bug fixes. This current trajectory will eventually culminate in the stable 1.30 branch. The project persists under the BSD license, with its codebase authored in C.

This release introduces the max_headers directive, which constrains the number of HTTP headers permitted in a request; exceeding this threshold prompts the server to issue a 400 error. This functionality was integrated from FreeNginx. Furthermore, the developers have ensured compatibility with OpenSSL 4.0, currently in its alpha stage. The include directive’s utility has been expanded, now permitting masks within geo blocks. Beyond these enhancements, an error in processing 103 status codes was rectified, and the erratic behavior of the $request_port and $is_request_port variables within subrequests was resolved.

Simultaneously, FreeNginx 1.29.7 has been unveiled—a fork curated by Maxim Dounin, a pivotal architect of the original project. FreeNginx is positioned as an autonomous codebase liberated from corporate influence, likewise distributed under the BSD license.

In this new version of FreeNginx, support for OpenSSL 4.0 has been implemented alongside the resolution of several security concerns. Developers have mitigated a buffer overflow within the ngx_http_dav_module, which manifested during the processing of WebDAV COPY and MOVE requests when utilizing the alias directive; this flaw was designated CVE-2026-27654. Additionally, a defect permitting data manipulation via DNS PTR records—which allowed adversaries to interfere with auth_http requests and the XCLIENT command during SMTP backend connections—was addressed under the identifier CVE-2026-28753.