Revisions of nghttp2
Martin Pluskal (pluskalm)
accepted
request 1164552
from
Petr Gajdos (pgajdos)
(revision 123)
- version update to 1.61.0 * Fixes CVE-2024-28182 [bsc#1221399] * nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087 * Checkout with submodules by @jonaski in #2093 * Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092 * build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097 * Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098 * docker: Use copy --link by @tatsuhiro-t in #2099 * Nghttpx header idle timeout by @tatsuhiro-t in #2100 * nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101 * Rewrite hexdump by @tatsuhiro-t in #2102 * Switch to distroless/base-nossl by @tatsuhiro-t in #2103 * Bump ngtcp2 by @tatsuhiro-t in #2105 * nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106 * build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107 * autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108 * Automate release process by @tatsuhiro-t in #2109 * autotools: Switch to tar-pax by @tatsuhiro-t in #2110 * nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111 * nghttpx: Fix port byte order by @tatsuhiro-t in #2112 * h2load: Allow host header to be overridden by @tatsuhiro-t in #2113 * nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114 * nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115 * Add actions/stale by @tatsuhiro-t in #2116 * nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117 * nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119 * No rfc7540 priority fix by @tatsuhiro-t in #2120 * Further reduce Stateless reset emission by @tatsuhiro-t in #2122 * nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124 * Nghttpx faster worker lookup by @tatsuhiro-t in #2125
Adam Majer (adamm)
accepted
request 1164345
from
Adam Majer (adamm)
(revision 122)
- gcc7.patch: Fix compilation for SLE-15 (jsc#PED-8206)
Martin Pluskal (pluskalm)
accepted
request 1158922
from
Petr Gajdos (pgajdos)
(revision 120)
- version update to 1.60.0 * makerelease.sh: Speed up git submodule * Speed up git clone * build(deps): bump actions/cache from 3 to 4 * Fixing the build and install trees * build(deps): bump microsoft/setup-msbuild from 1 to 2 * nghttpx: Set ocsp response to SSL in case of boringssl * Run with python3 * src: Certificate Compression with boringssl * Fix missing newline * Switch to aws lc * Libbrotli fixup * Deprecate RFC 7540 priorities (aka stream dependencies) * Let dependabot manage go modules * build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 * integration-tests: Omit unused parameters * Munit * Introduce nghttp2_ssize API * Move deprecated warning upfront * Describe RFC 7540 priorities deprecation plan * Apps migrate nghttp2 ssize * src: Remove unused functions * Reconsider ssize t usage in src * Use GitHub private vulnerability reporting * Move security policy to GitHub standard location * Bump mruby to 3.3.0 * Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663 * h2load: Add --sni option * Bump ngtcp2 dependencies * mruby: Adopt deprecation of mrbc_ prefix
Martin Pluskal (pluskalm)
accepted
request 1142108
from
Dirk Mueller (dirkmueller)
(revision 119)
- update to 1.59.0:
* Update bash_completion
* h2load: Fix bug that ttfb is not recorded if h3 stream
has no data
* h2load: Consider all h2 HEADERS when counting bytes and
recording ttfb
* h2load: Ignore 1xx status code
* nghttpd: Free SSL_CTX on exit
* nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
* nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
* cmake: Require OpenSSL >= 1.1.1
* Add nghttp2_select_alpn and deprecate
nghttp2_select_next_protocol
* nghttpx: Add --alpn-list and deprecate --npn-list
* h2load: Add --alpn-list and deprecate --npn-list
* Remove NPN
* src: Support building with aws-lc
* Avoid detecting OpenSSL 3.2 as quictls
* Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0
* h2load: Fix IPv6 address in :authority
* h2load: Fix IPv6 address in :authority
* nghttpx: Propagate stream priority from backend to
frontend
* nghttpx: Propagate stream priority from backend to
frontend
* Merge pull request #1991 from nghttp2/get-and-parse-
extpri
* Add API to get and parse RFC 9218 priority
* nghttpx: Prefer __FILE_NAME__ if defined
Martin Pluskal (pluskalm)
accepted
request 1128819
from
Dirk Mueller (dirkmueller)
(revision 118)
- update to 1.58.0: * Update manual pages * Bump neverbleed * Bump ngtcp2 * Prefer clock_gettime if __CYGWIN__ defined * Do not require strict c++ mode * nghttpx: Stricter transfer-encoding checks * Refactor character comparison * Integration servertester h3 * integration: Enable http3 test with cmake
Dirk Mueller (dirkmueller)
committed
(revision 117)
- fix unversioned provides to be in sync with nghttp3
Dirk Mueller (dirkmueller)
committed
(revision 116)
- add keyring for gpg validation
- spec file cleanups
For example, if GOAWAY frame has been received, a
* https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
checking leading and trailing white spaces against HTTP field value.
* https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
* third-party: Bump neverbleed based on the latest head (GH-1708)
* see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
* see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
* nghttpx: Fix logging integer
- Conditionally remove dependecy on jemalloc for SLE-12
if table size is changed from default
* Add nghttp2_option_set_max_send_header_block_length API
* Fix warning: declaration of 'free' shadows a global declaration
* nghttpx: Add healthmon parameter to -f option to enable health
* nghttpx: Add --api-max-request-body option to set maximum API
* nghttpx: Add api parameter to --frontend option to mark API
* h2load: Add content-length header field for HTTP/2 and SPDY as
* Run error callback when peer does not send initial SETTINGS
* nghttpx: Fix bug that server push from mruby script did not
* nghttpx: Try next HTTP/1 backend address when connection
* nghttpx: Retry next HTTP/2 backend address when connection
* nghttpx: Enable link header field based push for non-final
* nghttpx: Fix bug that logger wrote string which was not
* nghttpx: Fix bug that backend tls keyword did not work with -s
* lib: Add nghttp2_error_callback to tell application human
* lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
* integration: Disable tests that sometimes break randomly on
* h2load: Fix bug that initial max concurrent streams was too
* nghttpx: Workaround for Ubuntu 15.04 which does not
Martin Pluskal (pluskalm)
accepted
request 1117984
from
Petr Gajdos (pgajdos)
(revision 115)
- version update to 1.57.0 [bsc#1216174] 1.57.0 * Fixes CVE-2023-44487 * Bump ngtcp2 by @tatsuhiro-t in #1944 * Add dependabot to update actions by @tatsuhiro-t in #1946 * Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950 * Bump actions/setup-go from 3 to 4 by @dependabot in #1948 * Bump actions/checkout from 3 to 4 by @dependabot in #1949 * Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947 * docker: Bump base image to debian 12 by @tatsuhiro-t in #1951 * nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953 * Bump quictls by @tatsuhiro-t in #1945 * Apps fix by @tatsuhiro-t in #1957 * nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958 * Fix clang-format by @tatsuhiro-t in #1959 * Rework session management by @tatsuhiro-t in #1961 1.56.0 * doc: Bump boringssl by @tatsuhiro-t in #1928 * Fix memory leak by @tatsuhiro-t in #1930 * Return void by @tatsuhiro-t in #1931 * nghttpx: Rework sending and receiving ECN bits by @tatsuhiro-t in #1934 * CMSG_DATA does not necessarily return an aligned pointer by @tatsuhiro-t in #1935 * Bump quictls by @tatsuhiro-t in #1937 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #1939 * nghttpx: Simplify std::unique_ptr get and release by @tatsuhiro-t in #1940 * Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by @tatsuhiro-t in #1941 * Bump libbpf to v1.2.2 by @tatsuhiro-t in #1942 * Update Dockerfile by @tatsuhiro-t in #1943
Martin Pluskal (pluskalm)
committed
(revision 114)
Martin Pluskal (pluskalm)
accepted
request 1098813
from
Dirk Mueller (dirkmueller)
(revision 113)
- update to 1.55.1:
* Fix memory leak
This commit fixes memory leak that happens when
PUSH_PROMISE or HEADERS frame cannot be sent, and
nghttp2_on_stream_close_callback fails with a fatal error.
For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945
by envoyproxy/envoy project. During embargo period, the
patch to fix this bug was accidentally submitted to
nghttp2/nghttp2 repository [2]. And they decided to
disclose CVE early. I was notified just 1.5 hours
before disclosure. I had no time to respond.
PoC described in [1] is quite simple, but I think it is
not enough to trigger this bug. While it is true that
receiving GOAWAY prevents a client from opening new stream,
and nghttp2 enters error handling branch, in order to cause
the memory leak, nghttp2_session_close_stream function
must return a fatal error.
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
memory. It is unlikely that a process gets short of
memory with this simple PoC scenario unless application
does something memory heavy processing.
* NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
defined callback function (nghttp2_on_stream_close_callback, in
this case), which indicates something fatal happened inside a
callback, and a connection must be closed immediately without
any further action. As nghttp2_on_stream_close_error_callback
documentation says, any error code other than 0 or
NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
Martin Pluskal (pluskalm)
accepted
request 1094235
from
Dirk Mueller (dirkmueller)
(revision 112)
- update to 1.54.0: * nghttpx: Consistent error handling and use of high-level API * h2load: Fix http3 upload stall * h2load: Use std::chrono::steady_clock for quic timestamp
Martin Pluskal (pluskalm)
committed
(revision 111)
Martin Pluskal (pluskalm)
committed
(revision 110)
- Update to version 1.53.0: * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
Martin Pluskal (pluskalm)
accepted
request 1079569
from
Dirk Mueller (dirkmueller)
(revision 109)
- update to 1.52.0:
* https://nghttp2.org/blog/2023/02/13/nghttp2-v1-52-0/
* sphinx_rtd_theme has been removed from the repository
and archive.
* The deprecated Python bindings has been removed.
* The deprecated libnghttp2_asio has been removed.
* llhttp and neverbleed have been updated.
* This release fixes the bug that stalls TLS connection.
* This release adds more http3 integration tests.
- drop nghttp2-remove-python-build.patch: obsolete as the code got removed
Martin Pluskal (pluskalm)
accepted
request 1036485
from
Dirk Mueller (dirkmueller)
(revision 108)
- update to 1.51.0: * https://nghttp2.org/blog/2022/11/13/nghttp2-v1-51-0/ This release fixes affinity-cookie-stickiness parameter handling.
Martin Pluskal (pluskalm)
accepted
request 1005765
from
Dirk Mueller (dirkmueller)
(revision 107)
- update to 1.50.0: * https://nghttp2.org/blog/2022/09/21/nghttp2-v1-50-0/ This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value. - disable asio by default as it is deprecated by upstream and will be removed in the next release
Martin Pluskal (pluskalm)
accepted
request 998718
from
Dirk Mueller (dirkmueller)
(revision 106)
- update to 1.49.0: * https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
Martin Pluskal (pluskalm)
accepted
request 988491
from
Dirk Mueller (dirkmueller)
(revision 105)
- update to 1.48.0: * lib: Allow server to override RFC 9218 stream priority * lib: Add a server option to fallback to RFC 7540 priorities * lib: Add PRIORITY_UPDATE frame support * lib: Implement RFC 9218 extensible prioritization scheme * lib: Do not verify host field specific characters for response field * lib: No rfc7540 priorities * lib: Fix stream stall when initial window size is decreased * doc: Document how to change stream prioritization scheme * build: Compile with libressl 3.5 * build: EXTRA_DIST: List mruby files explicitly * build: Bump ngtcp2 and nghttp3 * build: Do not check application libraries if --enable-lib-only is given * src: Update default TLS cipher suites * nghttpx, h2load: Better pack UDP packets in one GSO write * nghttpx, h2load: Quic error handling * nghttpx, h2load: Fix QUIC performance regression * nghttp, nghttpd, nghttpx: Add ktls support * h2load: Send more packets without GSO per event loop * h2load: Add ktls support * nghttpd: Fix TLS read stall * nghttpx: Disable RFC 7540 priorities * nghttpx: Client always uses simpler TLS handshake * nghttpx: Add affinity-cookie-stickiness backend parameter * nghttpx: Fix broken session affinity * nghttpx: Limit CONNECTION_CLOSE and Retry under server amplification limit * integration: Go update * integration: Add go.mod * third-party: Bump llhttp to 75b45129db961e1fb3c56044e1b8f7721bfaee5d * third-party: Bump libbpf to v0.8.0
Martin Pluskal (pluskalm)
accepted
request 963364
from
Dirk Mueller (dirkmueller)
(revision 104)
- update to 1.47.0: * see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
Displaying revisions 1 - 20 of 123
