Bump macbre/nginx-http3 from 1.31.1 to 1.31.2

[dependabot]

Bumps macbre/nginx-http3 from 1.31.1 to 1.31.2.

Release notes

Sourced from macbre/nginx-http3's releases.

nginx 1.31.2

Changes with nginx 1.31.2                                        17 Jun 2026
*) Security: use-after-free might occur when using HTTP/3 and processing
   a specially crafted QUIC session, allowing an attacker to cause
   worker process memory corruption or segmentation fault in a worker
   process (CVE-2026-42530).
   Thanks to Trung Nguyen of CyStack.
*) Security: a heap memory buffer overflow might occur in a worker

process when using a configuration with "ignore_invalid_headers off;"

and "large_client_header_buffers" with large configured values when

proxying a specially crafted request to HTTP/2 or gRPC backend,

allowing an attacker to cause worker process memory corruption or

segmentation fault in a worker process (CVE-2026-42055).

Thanks to Mufeed VH of Winfunc Research.
*) Security: a heap memory buffer overread might occur in a worker

process while handling a specially sent response with decoding from

UTF-8 via the "charset_map" directive, allowing an attacker to cause

a limited disclosure of worker proccess memory or segmentation fault

in a worker process (CVE-2026-48142).

Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.
*) Change: now the $request_id variable uses SipHash-2-4.
*) Feature: the $ssl_sigalgs variable.
*) Bugfix: a variable defined by the "split_clients" directive might be

empty if all percentages were specified explicitly and summed up to

100%.
*) Bugfix: constant time "secure_link" hash comparison.

Thanks to kodareef5.

Commits

• a5cf4db nginx 1.31.2 (#191)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)