Nginx Releases Stable 1.22.1 and Mainline 1.23.2 with Security Fixes and New Features

Nginx published two new versions, the stable branch 1.22.1 and the mainline branch 1.23.2, with updates mainly focused on security fixes.

nginx 1.22.1

Security fix: handling specially crafted MP4 files with ngx_http_mp4_module could cause worker crashes, memory leaks, and corruption (CVE-2022-41741, CVE-2022-41742).

nginx 1.23.2

Security fix: same MP4 module issue as 1.22.1 (CVE-2022-41741, CVE-2022-41742).

New feature: introduced the $proxy_protocol_tlv_... variable.

New feature: when using shared memory in the ssl_session_cache directive, TLS session credential encryption keys are switched automatically.

Change: the log level for "bad record type" SSL errors was lowered from "crit" to "info".

Change: errors about "cannot allocate new session" are now logged at "warn" level (instead of "alert") and limited to once per second when using shared memory in ssl_session_cache .

Bugfix: resolved the issue where nginx/Windows could not be built with OpenSSL 3.0.x.

Bugfix: fixed logging errors for the PROXY protocol.

Workaround: when using TLSv1.3 with OpenSSL, shared memory from ssl_session_cache is used for sessions that employ TLS session credentials.

Workaround: when using OpenSSL or BoringSSL with TLSv1.3, the timeout set by ssl_session_timeout does not take effect.

For readers who found this article helpful, liking and sharing is greatly appreciated.