We are happy to announce the new formal release, 1.29.2.3, of the OpenResty web platform based on NGINX and LuaJIT.

Download this version here.

The (portable) source code distribution, the pre-built binary Linux packages for Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on this Download page.

Version highlights

• backported patches from nginx

  • CVE-2026-27654: Buffer overflow in ngx_http_dav_module
  • CVE-2026-27784: Buffer overflow in the ngx_http_mp4_module
  • CVE-2026-32647: Buffer overflow in the ngx_http_mp4_module
  • CVE-2026-27651: NULL pointer dereference while using CRAM-MD5 or APOP
  • CVE-2026-28753: Injection in auth_http and XCLIENT
  • CVE-2026-28755: OCSP result bypass in stream
  • CVE-2026-1642: SSL upstream injection

• upgraded lua-nginx-module to v0.10.30rc2

  • feature: add ffi ngx_http_lua_ffi_socket_tcp_get_ssl_pointer() and ffi ngx_http_lua_ffi_socket_tcp_get_ssl_ctx(). Thanks lijunlong for the patch.
  • feature: add new API: tcpsock:getsslsession. Thanks lijunlong for the patch.
  • feature: add ngx_http_lua_ffi_get_upstream_ssl_pointer. Thanks lijunlong for the patch.
  • feature: add precontent_by_lua directives Thanks Hanada for the patch.
  • feature: add server random and master key fetch api. Thanks xiangwei for the patch.
  • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
  • feature: proxy_ssl_verify_by_lua* directives Thanks willmafh for the patch.
  • feature: update to version v0.1.30. Thanks lijunlong for the patch.
  • optimize: add upstream server information to the error log of cosocket. Thanks lijunlong for the patch.
  • bugfix: clear wait timer in ngx_http_lua_pipe_proc_wait_cleanup to prevent SIGSEGV on QUIC connection close Thanks Jun Ouyang for the patch.
  • bugfix: prevent NULL dereference in SSL cache by ensuring old_cycle is set Thanks Jun Ouyang for the patch.
  • bugfix: prevent use-after-free crash in ngx_http_lua_pipe by ensuring connections are closed before pool destruction in quic connection close path. Thanks Jun Ouyang for the patch.
  • bugfix: prevent uthread crash by checking coroutine reference before deletion. Thanks Jun Ouyang for the patch.

• upgraded stream-lua-nginx-module

  • feature: add ffi api ngx_stream_lua_ffi_socket_tcp_getfd. Thanks lijunlong for the patch.
  • feature: add ffi functions ngx_stream_lua_ffi_socket_tcp_get_ssl_pointer() and ngx_stream_lua_ffi_socket_tcp_get_ssl_ctx(). Thanks lijunlong for the patch.
  • feature: add new API: tcpsock:get_ssl_session. Thanks lijunlong for the patch.
  • feature: add ngx_stream_lua_ffi_get_upstream_ssl_pointer. Thanks lijunlong for the patch.
  • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
  • feature: implement serversslhandshake method on downstream sockets (#392) Thanks Rob Mueller for the patch.
  • feature: proxy_ssl_certificate_by_lua directives Thanks willmafh for the patch.
  • optimize: add upstream server information to the error log of cosocket. Thanks lijunlong for the patch.
  • bugfix: didn't close cosocket when nginx shutdown timer has been triggered. Thanks lijunlong for the patch.
  • bugfix: prevent uthread crash by checking coroutine reference before deletion. Thanks Jun Ouyang for the patch.

• upgraded lua-resty-core to v0.1.33rc2

  • feature: add fetch server random and master key lua api Thanks mengxiangwei for the patch.
  • feature: add new API: tcpsock:getsslsession. Thanks lijunlong for the patch.
  • feature: add precontent_by_lua directives. Thanks Hanada for the patch.
  • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
  • feature: add sock:getsslpointer() and sock:getsslctx(). Thanks lijunlong for the patch.
  • feature: add ssl.get_upstream_ssl_pointer. Thanks lijunlong for the patch.
  • feature: add tcpsock.getfd() for stream subsystem. Thanks lijunlong for the patch.
  • feature: proxy_ssl_certificate_by_lua directives Thanks willmafh for the patch.

• upgraded luajit2 to v2.1-20260311

  • Add ffi.abi("dualnum"). Thanks Mike Pall for the patch.
  • Allow mcode allocations outside of the jump range to the support code. Thanks Mike Pall for the patch.
  • ARM64: Enable unaligned accesses if indicated by the toolchain. Thanks Mike Pall for the patch.
  • ARM64: Fix disassembly of >2GB branch targets. Thanks Mike Pall for the patch.
  • ARM64: Fix disassembly of certain sub-word-size loads/stores. Thanks Mike Pall for the patch.
  • ARM64: More fixes for ARM BTI. Thanks Mike Pall for the patch.
  • Avoid recording interference due to invocation of VM hooks. Thanks Mike Pall for the patch.
  • Back out MSVC LJ_CONSTF declaration. Thanks Mike Pall for the patch.
  • bugfix: failed to build with LUA_USE_TRACE_LOGS defined. Thanks lijunlong for the patch.
  • DUALNUM: Add missing type conversion for FORI slots. Thanks Mike Pall for the patch.
  • DUALNUM: Improve/fix edge cases of unary minus. Thanks Mike Pall for the patch.
  • FFI: Avoid dangling cts->L. Thanks Mike Pall for the patch.
  • FFI: Fix constructor index resolution in JIT compiler. Thanks Mike Pall for the patch.
  • Fix compiler warning. Thanks Mike Pall for the patch.
  • Fix edge cases when generating IR for string.byte/sub/find. Thanks Mike Pall for the patch.
  • Fix edge cases when recording string.byte/sub. Thanks Mike Pall for the patch.
  • Fix G->jit_base relocation on stack resize. Thanks Mike Pall for the patch.
  • Fix minilua undefined behavior in bit.tohex. Thanks Mike Pall for the patch.
  • Fix MSVC LJ_CONSTF declaration. Thanks Mike Pall for the patch.
  • Fix string.format for limited precision FP conversions. Thanks Mike Pall for the patch.
  • Implement double-to-integer conversions for s390x (#256) Thanks Ilya Leoshkevich for the patch.
  • Prevent recording of loops with -0 step or NaN values. Thanks Mike Pall for the patch.
  • Prevent snapshot purge while recording a function header. Thanks Mike Pall for the patch.
  • Remove compiler flag for FP conversions. Now unnecessary. Thanks Mike Pall for the patch.
  • Remove pointless GCC/MSVC const function attributes. Thanks Mike Pall for the patch.
  • Run VM events and finalizers in separate state. Thanks Mike Pall for the patch.
  • Unify Lua number to FFI integer conversions. Thanks Mike Pall for the patch.
  • x64/!LJ_GC64: The allocation limit is required for a no-JIT build, too. Thanks Mike Pall for the patch.
  • x86/x64: Backport fix for math.min()/math.max() argument check. Thanks Mike Pall for the patch.

Complete change logs since the last (formal) release, 1.29.2.1, can be browsed in the page Change Log for 1.29.2.x.

Testing

We have run extensive testing on our Amazon EC2 test cluster and ensured that all the components (including the Nginx core) play well together. The latest test report can always be found here:

https://qa.openresty.org/

We also always run our OpenResty Edge commercial software based on the latest open source version of OpenResty in our own global CDN network (dubbed "mini CDN") powering our openresty.org and openresty.com websites. See https://openresty.com/ for more details.

Community Support

See the Community Page.

Commercial Support

Commercial technical support and real-time noninvasive online monitoring and profiling solution is provided through the official OpenResty XRay product.

Feedback

Feedback on this release is more than welcome. Feel free to create new GitHub issues or send emails to one of our mailing lists.