www/nginx: Update to 1.28.2
Changes with nginx 1.28.2 04 Feb
2026
*) Security: an attacker might inject plain text data in the
response
from an SSL backend (CVE-2026-1642). *) Bugfix: use-after-free might occur after switching to the next
gRPC
or HTTP/2 backend. *) Bugfix: fixed warning when compiling with MSVC 2022 x86.
Changes with nginx 1.28.1 23 Dec
2025
*) Security: processing of a specially crafted login/password when
using
the "none" authentication method in the ngx_mail_smtp_module
might
cause worker process memory disclosure to the authentication
server
(CVE-2025-53859). *) Bugfix: a segmentation fault might occur in a worker process if
the
"try_files" directive and "proxy_pass" with a URI were used. *) Bugfix: in handling "Host" and ":authority" header lines with
equal
values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. *) Bugfix: in SSL certificate caching during reconfiguration. *) Bugfix: in delta-seconds processing in the "Cache-Control"
backend
response header line. *) Change: the native nginx/Windows binary release is now built
using
Windows SDK 10. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in HTTP/3.
PR: 292954
Sponsored by: Netzkommune GmbH