nginx-1.27.4 mainline version has been released, featuring optimized resource usage for complex SSL configurations, and with a fix for the SSL session reuse vulnerability (CVE-2025-23419). See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• Version bump. by @arut in #361
• QUIC: fixed client request timeout in 0-RTT scenarios. by @nandsky in #353
• Updated security policy to clarify experimental features by @jzebor-at-f5 in #404
• QUIC: ignore version negotiation packets. by @arut in #411
• QUIC: fixed accessing a released stream. by @arut in #413
• Year 2025. by @arut in #433
• Gzip: compatibility with recent zlib-ng 2.2.x versions. by @pluknet in #403
• On range failure, log expected range. by @aractnido in #346
• SSL cache part 2 by @pluknet in #287
• Upstream: fix NGX_COMPAT build without NGX_HTTP_SSL after 454ad0e. by @p-pautov in #463
• QUIC: added missing casts in iov_base assignments. by @bavshin-f5 in #479
• Configure: fixed --with-libatomic=DIR with recent libatomic_ops. by @pluknet in #460
• Misc: moved documentation in release tarballs. by @pluknet in #377
• Added "keepalive_min_timeout" directive. by @arut in #456
• SNI: added restriction for TLSv1.3 cross-SNI session resumption. by @pluknet in #493
• nginx-1.27.4-RELEASE by @pluknet in #494

New Contributors

• @aractnido made their first contribution in #346
• @p-pautov made their first contribution in #463

Full Changelog: release-1.27.3...release-1.27.4