Version 1.29.2.3 - 25 Mar 2025

• backported patches from nginx

  • CVE-2026-27654: Buffer overflow in ngx_http_dav_module
  • CVE-2026-27784: Buffer overflow in the ngx_http_mp4_module
  • CVE-2026-32647: Buffer overflow in the ngx_http_mp4_module
  • CVE-2026-27651: NULL pointer dereference while using CRAM-MD5 or APOP
  • CVE-2026-28753: Injection in auth_http and XCLIENT
  • CVE-2026-28755: OCSP result bypass in stream
  • CVE-2026-1642: SSL upstream injection

• upgraded lua-nginx-module to v0.10.30rc2

  • feature: add ffi ngx_http_lua_ffi_socket_tcp_get_ssl_pointer() and ffi ngx_http_lua_ffi_socket_tcp_get_ssl_ctx(). Thanks lijunlong for the patch.
  • feature: add new API: tcpsock:getsslsession. Thanks lijunlong for the patch.
  • feature: add ngx_http_lua_ffi_get_upstream_ssl_pointer. Thanks lijunlong for the patch.
  • feature: add precontent_by_lua directives Thanks Hanada for the patch.
  • feature: add server random and master key fetch api. Thanks xiangwei for the patch.
  • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
  • feature: proxy_ssl_verify_by_lua* directives Thanks willmafh for the patch.
  • feature: update to version v0.1.30. Thanks lijunlong for the patch.
  • optimize: add compatibility for freenginx. Thanks Sergey A. Osokin for the patch.
  • optimize: add upstream server information to the error log of cosocket. Thanks lijunlong for the patch.
  • bugfix: clear wait timer in ngx_http_lua_pipe_proc_wait_cleanup to prevent SIGSEGV on QUIC connection close Thanks Jun Ouyang for the patch.
  • bugfix: failed to build proxy_ssl* with openssl 1.0.2. Thanks lijunlong for the patch.
  • bugfix: fix the compatibility issue for freenginx. Thanks Y.Horie for the patch.
  • bugfix: prevent NULL dereference in SSL cache by ensuring old_cycle is set Thanks Jun Ouyang for the patch.
  • bugfix: prevent use-after-free crash in ngx_http_lua_pipe by ensuring connections are closed before pool destruction in quic connection close path. Thanks Jun Ouyang for the patch.
  • bugfix: prevent uthread crash by checking coroutine reference before deletion. Thanks Jun Ouyang for the patch.
  • doc: fixed typo. Thanks leslie for the patch.
  • doc: typo fixes and delete incorrect statements. Thanks willmafh for the patch.
  • doc: update copyright. Thanks lijunlong for the patch.
  • test: fix flaky test at boringssl environment. Thanks Jun Ouyang for the patch.

• upgraded stream-lua-nginx-module

  • feature: add ffi api ngx_stream_lua_ffi_socket_tcp_getfd. Thanks lijunlong for the patch.
  • feature: add ffi functions ngx_stream_lua_ffi_socket_tcp_get_ssl_pointer() and ngx_stream_lua_ffi_socket_tcp_get_ssl_ctx(). Thanks lijunlong for the patch.
  • feature: add new API: tcpsock:get_ssl_session. Thanks lijunlong for the patch.
  • feature: add ngx_stream_lua_ffi_get_upstream_ssl_pointer. Thanks lijunlong for the patch.
  • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
  • feature: implement serversslhandshake method on downstream sockets (#392) Thanks Rob Mueller for the patch.
  • feature: proxy_ssl_certificate_by_lua directives Thanks willmafh for the patch.
  • feature: update version to v0.0.18. Thanks lijunlong for the patch.
  • optimize: add compatibility for freenginx. Thanks Sergey A. Osokin for the patch.
  • optimize: add upstream server information to the error log of cosocket. Thanks lijunlong for the patch.
  • bugfix: didn't close cosocket when nginx shutdown timer has been triggered. Thanks lijunlong for the patch.
  • bugfix: failed to build with old ssl. Thanks lijunlong for the patch.
  • bugfix: prevent uthread crash by checking coroutine reference before deletion. Thanks Jun Ouyang for the patch.
  • bugfix: supress clang warning. Thanks lijunlong for the patch.

• upgraded lua-resty-core to v0.1.33rc2

  • feature: add fetch server random and master key lua api Thanks mengxiangwei for the patch.
  • feature: add new API: tcpsock:getsslsession. Thanks lijunlong for the patch.
  • feature: add precontent_by_lua directives. Thanks Hanada for the patch.
  • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
  • feature: add sock:getsslpointer() and sock:getsslctx(). Thanks lijunlong for the patch.
  • feature: add ssl.get_upstream_ssl_pointer. Thanks lijunlong for the patch.
  • feature: add tcpsock.getfd() for stream subsystem. Thanks lijunlong for the patch.
  • feature: proxy_ssl_certificate_by_lua directives Thanks willmafh for the patch.
  • optimize: more detail error message when loading wrong lua-nginx-module. Thanks lijunlong for the patch.
  • bugfix: failed to load socket.lua when building without ssl. Thanks lijunlong for the patch.
  • doc: typo fixes. Thanks Chrono for the patch.

• upgraded luajit2 to v2.1-20260311

  • Add ffi.abi("dualnum"). Thanks Mike Pall for the patch.
  • Allow mcode allocations outside of the jump range to the support code. Thanks Mike Pall for the patch.
  • ARM64: Enable unaligned accesses if indicated by the toolchain. Thanks Mike Pall for the patch.
  • ARM64: Fix disassembly of >2GB branch targets. Thanks Mike Pall for the patch.
  • ARM64: Fix disassembly of certain sub-word-size loads/stores. Thanks Mike Pall for the patch.
  • ARM64: More fixes for ARM BTI. Thanks Mike Pall for the patch.
  • Avoid recording interference due to invocation of VM hooks. Thanks Mike Pall for the patch.
  • Back out MSVC LJ_CONSTF declaration. Thanks Mike Pall for the patch.
  • bcsave.lua: add ppc64 and ppc64le mappings Thanks Piotr Kubaj for the patch.
  • bugfix: failed to build with LUA_USE_TRACE_LOGS defined. Thanks lijunlong for the patch.
  • DUALNUM: Add missing type conversion for FORI slots. Thanks Mike Pall for the patch.
  • DUALNUM: Fix narrowing of unary minus. Thanks Mike Pall for the patch.
  • DUALNUM: Fix recording of loops broken by previous change. Thanks Mike Pall for the patch.
  • DUALNUM: Improve/fix edge cases of unary minus. Thanks Mike Pall for the patch.
  • ELF/Mach-O: Force default visibility for public API functions. Thanks Mike Pall for the patch.
  • FFI: Avoid dangling cts->L. Thanks Mike Pall for the patch.
  • FFI: Fix constructor index resolution in JIT compiler. Thanks Mike Pall for the patch.
  • Fix compiler warning. Thanks Mike Pall for the patch.
  • Fix edge cases when generating IR for string.byte/sub/find. Thanks Mike Pall for the patch.
  • Fix edge cases when recording string.byte/sub. Thanks Mike Pall for the patch.
  • Fix G->jit_base relocation on stack resize. Thanks Mike Pall for the patch.
  • Fix minilua undefined behavior in bit.tohex. Thanks Mike Pall for the patch.
  • Fix MSVC LJ_CONSTF declaration. Thanks Mike Pall for the patch.
  • Fix string.format for limited precision FP conversions. Thanks Mike Pall for the patch.
  • Ignore PDB files for git. Thanks Mike Pall for the patch.
  • Implement double-to-integer conversions for s390x (#256) Thanks Ilya Leoshkevich for the patch.
  • macOS: Change Mach-O object file layout required by XCode 15.0. Thanks Mike Pall for the patch.
  • MIPS64: Avoid unaligned load in lj_vm_exit_interp. Thanks Mike Pall for the patch.
  • PPC: Fix soft-float lj_num2u64(). Thanks Mike Pall for the patch.
  • Prevent recording of loops with -0 step or NaN values. Thanks Mike Pall for the patch.
  • Prevent snapshot purge while recording a function header. Thanks Mike Pall for the patch.
  • Remove compiler flag for FP conversions. Now unnecessary. Thanks Mike Pall for the patch.
  • Remove pointless GCC/MSVC const function attributes. Thanks Mike Pall for the patch.
  • Run VM events and finalizers in separate state. Thanks Mike Pall for the patch.
  • s390x: simplify ceil/floor code (#246) Thanks J. Neuschäfer for the patch.
  • Unify Lua number to FFI integer conversions. Thanks Mike Pall for the patch.
  • x64/!LJ_GC64: The allocation limit is required for a no-JIT build, too. Thanks Mike Pall for the patch.
  • x86/x64: Backport fix for math.min()/math.max() argument check. Thanks Mike Pall for the patch.

Version 1.29.2.1 - 14 Jan 2025

• Nginx core

  • Upgrade from nginx 1.27.1 to 1.29.2.

• OpenSSL

  • upgraded from version 3.4.1 to 3.5.5.

• PCRE

  • upgraded from version 10.44 to 10.47.

• lua-nginx-module v0.10.29

  • feature: added ngx_http_lua_ffi_ssl_get_client_hello_ext_present(). Thanks Gabriel Clima for the patch.
  • feature: add function to bypass HTTP conditional request checks (#2401) Thanks kurt for the patch.
  • feature: add lua_ssl_key_log directive. Thanks willmafh for the patch.
  • feature: add ngx_http_lua_ffi_req_shared_ssl_ciphers(). Thanks Sunny Chan for the patch.
  • feature: add sock:getfd(). Thanks lijunlong for the patch.
  • feature: Export three functions for manipulating ngx_http_lua_co_ctx_t structures. Thanks lijunlong for the patch.
  • feature: ngx_http_lua_ffi_ssl_get_client_hello_ciphers(). Thanks Gabriel Clima for the patch.
  • feature: proxy_ssl_verify_by_lua directives. Thanks willmafh for the patch.
  • feature: support tcp binding ip:port or ip of ipv4 or ipv6 Thanks ElvaLiu for the patch.
  • bugfix: add HTTP/3 QUIC SSL Lua yield patch macro protection. Thanks swananan for the patch.
  • bugfix: didn't flush send buffer after lua phase(access/rewrite/server_rewrite) done. Thanks lijunlong for the patch.
  • bugfix: didn't use right hostname when the length of hostname is greater than 32. Thanks lijunlong for the patch.
  • bugfix: ensure context is restorable on fd writable events. Thanks Zeping Bai for the patch.
  • bugfix: improve HTTP/3 SSL Lua callback yield handling. Thanks swananan for the patch.
  • bugfix: resume QUIC handshake for OpenSSL external QUIC API builds Thanks swananan for the patch.
  • bugfix: the modifications in this PR are to supplement the overlooked changes in the commit e8f65dc53. Thanks lijunlong for the patch.
  • optimize: unnecessary to do error check. Thanks willmafh for the patch.
  • change: ngx_http_lua_ffi_get_req_ssl_pointer() add err argument. Thanks lijunlong for the patch.
  • style: code style consistency. Thanks willmafh for the patch.

• stream-lua-nginx-module v0.0.17

  • feature: add lua_ssl_key_log directive to log client connection SSL keys in the tcpsock:sslhandshake method. Keys are logged in the SSLKEYLOGFILE format compatible with Wireshark. Thanks willmafh for the patch.
  • feature: add ngx_stream_lua_ffi_get_req_ssl_pointer() for stream subsystem. Thanks lijunlong for the patch.
  • feature: add ngx_stream_lua_ffi_req_dst_addr(). Thanks lijunlong for the patch.
  • feature: add support for tcp/udp bind. Thanks alonbg for the patch.
  • feature: ngx_stream_lua_ffi_req_shared_ssl_ciphers(). Thanks Ri Shen Chen for the patch.
  • feature: proxy_ssl_verify_by_lua directives. Thanks willmafh for the patch.
  • bugfix: failed to build with openssl 1.x.x and boringssl. Thanks lijunlong for the patch.
  • bugfix: failed to build with openssl < 3.0.2. Thanks lijunlong for the patch.
  • bugfix: fixed typo. Thanks willmafh for the patch.
  • bugfix: fixed warning. Thanks lijunlong for the patch.
  • bugfix: resolve unused function warning in BoringSSL builds. Thanks swananan for the patch.
  • optimize: add error checking for SSL_set_tlsext_status_type(). Thanks Fahnenfluchtige for the patch.
  • optimize: checked r before using it. Thanks Fahnenfluchtige for the patch.
  • optimize: fixed build warning. Thanks lijunlong for the patch.
  • style: fixed coding style. Thanks lijunlong for the patch.
  • style: fixed coding style. Thanks willmafh for the patch.

• lua-resty-core v0.1.32

  • feature: add bind support for the stream subsystem. Thanks lijunlong for the patch.
  • feature: add bypass_if_checks method to ngx.resp (#495) Thanks kurt for the patch.
  • feature: add get_req_ssl_pointer() for stream subsystem. Thanks lijunlong for the patch.
  • feature: add ngx.req.get_original_addr. Thanks lijunlong for the patch.
  • feature: add sock:getfd(). Thanks lijunlong for the patch.
  • feature: add ssl.get_shared_ssl_ciphers for stream subsystem. Thanks Sunny Chan for the patch.
  • feature: add support for nginx-1.29.2. Thanks lijunlong for the patch.
  • feature: add support for ssl.get_req_shared_ssl_ciphers() Thanks Sunny Chan for the patch.
  • feature: get_client_hello_ciphers() (#498) Thanks Gabriel Clima for the patch.
  • feature: proxy_ssl_verify_by_lua directives. Thanks willmafh for the patch.
  • feature: add get_client_hello_ext_present Thanks Gabriel Clima for the patch.
  • optimize: remove unused code. Thanks lijunlong for the patch.
  • optimize: remove unused param. Thanks Bai Miao for the patch.
  • bugfix: failed to get error message because the input buffer length is not set. Thanks lijunlong for the patch.
  • bugfix: fix issue #499 to avoid unexpect assertion when c func return FFI_OK immediately. Thanks akf00000 for the patch.
  • doc: add doc for get_client_hello_ext_present(). Thanks lijunlong for the patch.
  • doc: fixed typo. Thanks lijunlong for the patch.
  • style: fixed coding style. Thanks lijunlong for the patch.

• luajit2 v2.1-20251022

  • Add compatibility string coercion for fp:seek() argument. Thanks Mike Pall for the patch.
  • Add GNU/Hurd build support. Thanks Mike Pall for the patch.
  • ARM64: Fix pass-by-value struct calling conventions. Thanks Mike Pall for the patch.
  • ARM: Fix soft-float math.min()/math.max(). Thanks Mike Pall for the patch.
  • Avoid out-of-range PC for stack overflow error from snapshot restore. Thanks Mike Pall for the patch.
  • Avoid unpatching bytecode twice after a trace flush. Thanks Mike Pall for the patch.
  • bugfix: table.clone can't work after commit 538a82133ad. Thanks lijunlong for the patch.
  • Change handling of nil value markers in template tables. Thanks Mike Pall for the patch.
  • FFI: Add pre-declared int128_t, uint128_t, __int128 types. Thanks Mike Pall for the patch.
  • FFI: Fix dangling CType references. Thanks Mike Pall for the patch.
  • Fix error generation in load*. Thanks Mike Pall for the patch.
  • Fix handling of nil value markers in template tables. Thanks Mike Pall for the patch.
  • Fix io.write() of newly created buffer. Thanks Mike Pall for the patch.
  • Fix JIT slot overflow during up-recursion. Thanks Mike Pall for the patch.
  • Fix reporting of an error during error handling. Thanks Mike Pall for the patch.
  • Fix state restore when recording __concat metamethod. Thanks Mike Pall for the patch.
  • Gracefully handle broken custom allocator. Thanks Mike Pall for the patch.
  • Improve CLI signal handling on POSIX. Thanks Mike Pall for the patch.
  • Initialize unused value when specializing to cdata metatable. Thanks Mike Pall for the patch.
  • macOS: Add support for Apple hardened runtime. Thanks Mike Pall for the patch.
  • macOS: Fix Apple hardened runtime support and put behind build option. Thanks Mike Pall for the patch.
  • macOS: Fix support for Apple hardened runtime. Thanks Mike Pall for the patch.
  • Merge from upstream v2.1. Thanks lijunlong for the patch.
  • Prevent Clang UB 'optimization' which breaks integerness checks. Thanks Mike Pall for the patch.
  • Remove Cygwin from docs, since it's not a supported target. Thanks Mike Pall for the patch.
  • REVERT: Change handling of nil value markers in template tables. Thanks Mike Pall for the patch.
  • Use dylib extension for iOS installs, too. Thanks Mike Pall for the patch.
  • Windows: Add lua52compat option to msvcbuild.bat. Thanks Mike Pall for the patch.
  • Windows: Allow mixed builds with msvcbuild.bat. Thanks Mike Pall for the patch.
  • Windows: Clarify installation directory layout. Thanks Mike Pall for the patch.
  • x64: Add support for CET IBT. Thanks Mike Pall for the patch.
  • x86/x64: Don't use undefined MUL/IMUL zero flag. Thanks Mike Pall for the patch.

• lua-resty-redis

  • bugfix: connection is closed after the blpop and brpop calls time out. Thanks 冉朋 for the patch.
  • docs: fix typo in README.markdown. Thanks hms5232 for the patch.
  • optimize: return setmetatable is NYI which can not be jit compiled. (#287) Thanks Zero King for the patch.

• xss-nginx-module

  • feature: add dynamic build support. Thanks Su Yang for the patch.

• lua-upstream-nginx-module

  • doc: small typo fixes in the docs for get_servers. Thanks chronolaw for the patch.

• lua-resty-lock

  • doc: correct package status in README.markdown. Thanks jumper047 for the patch.

• ngx_devel_kit

  • src/ndk.h: Do not #error if 'NDK' is undefined Thanks Simpl for the patch.
  • src/ndk.h: do not #error if 'NDK' is undefined Thanks Zurab Kvachadze for the patch.
  • src/ndk.h: Update version Thanks Simpl for the patch.

• headers-more-nginx-module

  • bugfix: didn't set next to NULL for the output header. Thanks lijunlong for the patch.
  • Move the LICENSE content to a separate file. Thanks uhliarik for the patch.

• rds-csv-nginx-module

  • bugfix: change bit filed member type to unsigned to suppress the warning. Thanks lijunlong for the patch.

• lua-resty-shell

  • doc: add a description of the default value of the max_size parameter. Thanks lijunlong for the patch.
  • README.md: add info about default timeout (#21) Thanks Jeffrey 'jf' Lim for the patch.

• lua-resty-mysql

  • bugfix: mysql driver doesn't handle well server side query timeout (Query execution was interrupted). Thanks Nir Nahum for the patch.

• resty-cli

  • feature: add new option --load-module. Thanks lijunlong for the patch.
  • feature: resty: implemented the --dump-nginx-conf option to print out the generated configuration. Thanks 罗泽轩 for the patch.

• opm

  • opm: revamp options. Thanks Dmitry Meyer for the patch.
  • doc: fixed wrong example of user command line arguments. Thanks Johnny Wang for the patch.