From a93581ee44ee4236a5b3c52f7a22682af7652447 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Thu, 14 Aug 2025 10:48:12 +0200
Subject: [PATCH] nginxMainline: 1.27.5 -> 1.29.1

Fixes CVE-2025-53859

Changes:
```
Changes with nginx 1.29.1                                        13 Aug 2025

    *) Security: processing of a specially crafted login/password when using
       the "none" authentication method in the ngx_mail_smtp_module might
       cause worker process memory disclosure to the authentication server
       (CVE-2025-53859).

    *) Change: now TLSv1.3 certificate compression is disabled by default.

    *) Feature: the "ssl_certificate_compression" directive.

    *) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.

    *) Bugfix: the 103 response might be buffered when using HTTP/2 and the
       "early_hints" directive.

    *) Bugfix: in handling "Host" and ":authority" header lines with equal
       values when using HTTP/2; the bug had appeared in 1.17.9.

    *) Bugfix: in handling "Host" header lines with a port when using
       HTTP/3.

    *) Bugfix: nginx could not be built on NetBSD 10.0.

    *) Bugfix: in the "none" parameter of the "smtp_auth" directive.

Changes with nginx 1.29.0                                        24 Jun 2025

    *) Feature: support for response code 103 from proxy and gRPC backends;
       the "early_hints" directive.

    *) Feature: loading of secret keys from hardware tokens with OpenSSL
       provider.

    *) Feature: support for the "so_keepalive" parameter of the "listen"
       directive on macOS.

    *) Change: the logging level of SSL errors in a QUIC handshake has been
       changed from "error" to "crit" for critical errors, and to "info" for
       the rest; the logging level of unsupported QUIC transport parameters
       has been lowered from "info" to "debug".

    *) Change: the native nginx/Windows binary release is now built using
       Windows SDK 10.

    *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or
       ngx_http_v3_module modules were used.

    *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto
       optimization if ngx_http_v3_module was used.

    *) Bugfixes and improvements in HTTP/3.
```
---
 pkgs/servers/http/nginx/mainline.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/nginx/mainline.nix b/pkgs/servers/http/nginx/mainline.nix
index e4ece30ec374..dece0210839e 100644
--- a/pkgs/servers/http/nginx/mainline.nix
+++ b/pkgs/servers/http/nginx/mainline.nix
@@ -1,6 +1,6 @@
 { callPackage, ... }@args:
 
 callPackage ./generic.nix args {
-  version = "1.27.5";
-  hash = "sha256-6WrOu5wqbbigAMPdGzLsuhuBDwzVhiMtTZIeN2Z03Q4=";
+  version = "1.29.1";
+  hash = "sha256-xYn35+2AHdvZBK+/PeJq4k6wzOJ8dxei6U33+xLWrSc=";
 }