See the release notes or download Trino

This is a security release.

• (CVE-2026-21717) fix array index hash collision (Joyee Cheung) https://github.com/nodejs-private/node-private/pull/834
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) https://github.com/nodejs-private/node-private/pull/822
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) https://github.com/nodejs-private/node-private/pull/821
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) https://github.com/nodejs-private/node-private/pull/795
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) https://github.com/nodejs-private/node-private/pull/794
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) https://github.com/nodejs-private/node-private/pull/832
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) https://github.com/nodejs-private/node-private/pull/819

• [cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831
• [f333d0be5f] - deps: V8: override depot_tools version (Richard Lau) #62344
• [2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285
• [af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840
• [00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838
• [a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839

This is a security release.

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21711) include permission check to pipe_wrap.cc (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

• [2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
• [bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
• [be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216
• [2feea5bb97] - deps: V8: override depot_tools version (Richard Lau) #62344
• [86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820
• [04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a security release.

• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low

• [6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828
• [cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
• [f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
• [08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035
• [61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994
• [9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892
• [3dab3c4698] - deps: V8: override depot_tools version (Richard Lau) #62344
• [87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828
• [045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828
• [af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828
• [380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a security release.

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd95e5b (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

nginx-1.28.3 stable version has been released. This release includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES-1.28 on nginx.org.

Below is a release summary generated by GitHub.

• Release 1.28.3 by @arut in https://github.com/nginx/nginx/pull/1216

Full Changelog: https://github.com/nginx/nginx/compare/release-1.28.2...release-1.28.3

nginx-1.29.7 mainline version has been released, introducing two significant updates: support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled. This release also includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

• Version bump 1.29.7. by @arut in https://github.com/nginx/nginx/pull/1181
• Proxy authentication definitions. by @arut in https://github.com/nginx/nginx/pull/1178
• Proxy: reset pending control frames on HTTP/2 upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1135
• gRPC: reset buffer chains on upstream reinit. by @devnexen in https://github.com/nginx/nginx/pull/1136
• Multipath TCP support by @pluknet in https://github.com/nginx/nginx/pull/931
• Logs: added COMPAT padding to ngx_log_t. by @dplotnikov-f5 in https://github.com/nginx/nginx/pull/1196
• Upstream keepalive: enabled keepalive module by default. by @roman-f5 in https://github.com/nginx/nginx/pull/1080
• Upstream keepalive: fixed parameter parsing. by @arut in https://github.com/nginx/nginx/pull/1207
• Mp4: avoid zero size buffers in output. by @arut in https://github.com/nginx/nginx/pull/1149
• Mp4: fixed possible integer overflow on 32-bit platforms. by @arut in https://github.com/nginx/nginx/pull/1209
• Dav: destination length validation for COPY and MOVE. by @arut in https://github.com/nginx/nginx/pull/1210
• Mail: host validation. by @arut in https://github.com/nginx/nginx/pull/1211
• Mail: fixed clearing s->passwd in auth http requests. by @arut in https://github.com/nginx/nginx/pull/1212
• Stream: fixed client certificate validation with OCSP. by @arut in https://github.com/nginx/nginx/pull/1213
• nginx-1.29.7-RELEASE by @arut in https://github.com/nginx/nginx/pull/1215

• @devnexen made their first contribution in https://github.com/nginx/nginx/pull/1135

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.6...release-1.29.7

OpenSSL 4.0.0-beta1 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

• Removed extra leading '00:' when printing key data such as an RSA modulus in hexadecimal format where the first (most significant) byte is >= 0x80.

• Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else.

• Lower bounds checks are now enforced when using PKCS5_PBKDF2_HMAC API with FIPS provider.

• Added AKID verification checks when X509_V_FLAG_X509_STRICT is set.

• Augmented CRL verification process with several additional checks.

• libcrypto no longer cleans up globally allocated data via atexit().

• OPENSSL_cleanup() now runs in a global destructor, or not at all by default.

• ASN1_STRING has been made opaque.

• Signatures of numerous API functions, including those that are related to X509 processing, are changed to include const qualifiers for argument and return types, where suitable.

• Deprecated X509_cmp_time(), X509_cmp_current_time(), and X509_cmp_timeframe() in favor of X509_check_certificate_times().

• Removed support for the SSLv2 Client Hello.

• Removed support for SSLv3. SSLv3 has been deprecated since 2015, and OpenSSL had it disabled by default since version 1.1.0 (2016).

• Removed support for engines. The no-engine build option and the OPENSSL_NO_ENGINE macro are always present.

• Support of deprecated elliptic curves in TLS according to RFC 8422 was disabled at compile-time by default. To enable it, use the enable-tls-deprecated-ec configuration option.

• Support of explicit EC curves was disabled at compile-time by default. To enable it, use the enable-ec_explicit_curves configuration option.

• Removed c_rehash script tool. Use openssl rehash instead.

• Removed the deprecated msie-hack option from the openssl ca command.

• Removed BIO_f_reliable() implementation without replacement. It was broken since 3.0 release without any complaints.

• Removed deprecated functions ERR_get_state(), ERR_remove_state() and ERR_remove_thread_state(). The ERR_STATE object is now always opaque.

• Dropped darwin-i386{,-cc} and darwin-ppc{,64}{,-cc} targets from Configurations.

This release adds the following new features:

• Support for Encrypted Client Hello (ECH, RFC 9849). See doc/designs/ech-api.md for details.

• Support for RFC 8998, signature algorithm sm2sig_sm3, key exchange group curveSM2, and [tls-hybrid-sm2-mlkem] post-quantum group curveSM2MLKEM768.

• cSHAKE function support as per SP 800-185.

• "ML-DSA-MU" digest algorithm support.

• Support for SNMP KDF and SRTP KDF.

• FIPS self tests can now be deferred and run as needed when installing the FIPS module with the -defer_tests option of the openssl fipsinstall command.

• Support for using either static or dynamic VC runtime linkage on Windows.

• Support for negotiated FFDHE key exchange in TLS 1.2 in accordance with RFC 7919.

• #14824 Potential UAF: don't use reply copy avoidance for module strings

• #14848 Crash during command processing on replicas performing full synchronization
• #14794 New XIDMPRECORD internal command and AOFRW emission to restore stream IDMP state
• #14816 setModuleEnumConfig() passing prefixed name to module callbacks
• #14858 Streams: Ensures XADD with IDMP/IDMPAUTO that hits an existing IID records the metadata change
• #14855,#14831, #14817 Potential Memory leaks
• #14869 Streams: IDMP cron expiration not working after RDB load
• #14847 Potential crash during ACL checks on wrong-arity commands
• #14883 HSETEX, HGETEX do not validate that FIELDS is specified only once
• #14897 Streams: IDMP-related bugs