Security: when using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
Security: processing of a specially crafted mp4 file with the ngx_http_mp4_module might result in worker process memory disclosure. (CVE-2018-16845).
Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive", "grpc_socket_keepalive", "memcached_socket_keepalive", "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.
Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled.
Bugfix: working with gRPC backends might result in excessive memory consumption.
Change: the "ssl" directive is deprecated; the "ssl" parameter of the "listen" directive should be used instead.
Change: now nginx detects missing SSL certificates during configuration testing when using the "ssl" parameter of the "listen" directive.
Feature: now the stream module can handle multiple incoming UDP datagrams from a client within a single session.
Bugfix: it was possible to specify an incorrect response code in the "proxy_cache_valid" directive.
Bugfix: nginx could not be built by gcc 8.1.
Bugfix: logging to syslog stopped on local IP address changes.
Bugfix: nginx could not be built by clang with CUDA SDK installed; the bug had appeared in 1.13.8.
Bugfix: "getsockopt(TCP_FASTOPEN) ... failed" messages might appear in logs during binary upgrade when using unix domain listen sockets on FreeBSD.
Bugfix: nginx could not be built on Fedora 28 Linux.
Bugfix: request processing rate might exceed configured rate when using the "limit_req" directive.
Bugfix: in handling of client addresses when using unix domain listen sockets to work with datagrams on Linux.
Bugfix: in memory allocation error handling.
Bugfix: connections with gRPC backends might be closed unexpectedly when returning a large response.