From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) by sourceware.org (Postfix) with ESMTPS id 1D6403858022 for ; Sun, 30 May 2021 06:43:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 1D6403858022 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSW.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from SystematicSW.ab.ca ([68.147.0.90]) by shaw.ca with ESMTP id nFAhl5BZB7YjPnFAilyIbm; Sun, 30 May 2021 00:43:40 -0600 X-Authority-Analysis: v=2.4 cv=fPVaYbWe c=1 sm=1 tr=0 ts=60b3341c a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17 a=X-QBuKCoAAAA:8 a=YyN4TY8iAAAA:20 a=FWL59_a1AAAA:20 a=WlXoRESYXDu9EGcU_2UA:9 a=7Zwj6sZBwVKJAoWSPKxL6X1jA+E=:19 a=vbxwTe1tunHIfGfxEBYx:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 From: Cygwin nghttp2 Maintainer To: Cygwin Announcements Reply-To: Cygwin Date: Sun, 30 May 2021 00:35:11 -0600 Message-Id: <20210530003511.2516-1-Brian.Inglis@SystematicSW.ab.ca> Subject: Updated: nghttp2, libnghttp2{_14, -devel}, {mingw64-{x86_64, i686}, python{37, 38}}-nghttp2 1.43 X-CMAE-Envelope: MS4xfJ/0hL/mV2h5ByDHBLoTKdlOJhAda0trrjdwNGD/PrjvAw9yJGSoiUi3df8rcN6IAaA5VqJ+RgiQb2n0nD8/ZcA/MiASjmI+AzYdMtNm9oxp2Ds/jdWn T6fWH49+gra6+QvUOu3i3BDZH5kVEF1crhmZirK9+25dKLi2Sf3UCdBE1omy0Hr6lmE/xwxaoHqEjb3o/el2j8U7gjKFmJ93qtHhaGDn/l2phAsu9K/VtmHX 9FIE2nlrwt3ZfaKbK4p6zL00ZnfFMAzwv2nL9Kknq3Q= X-Spam-Status: No, score=-3487.8 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin-announce@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Read-only mailing list announcing new and updated Cygwin packages List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 May 2021 06:43:44 -0000 The following packages have been upgraded in the Cygwin distribution: * nghttp2 1.43 * libnghttp2_14 1.43 * libnghttp2-devel 1.43 * mingw64-x86_64-nghttp2 1.43 * mingw64-i686-nghttp2 1.43 * python37-nghttp2 1.43 * python38-nghttp2 1.43 and the following packages have been obsoleted and upgraded to the new ones: * python2-nghttp2 1.43 * python27-nghttp2 1.43 * python3-nghttp2 1.43 * python36-nghttp2 1.43 HTTP/2 and its header compression algorithm HPACK implementation. The framing layer of HTTP/2 is implemented as a reusable library. Also included are an HTTP/2 client, server, proxy, load test and benchmarking tool, and Python modules. For more information see the project home page: https://nghttp2.org/ or the repo README: https://github.com/nghttp2/nghttp2#readme Please see below or read /usr/share/doc/nghttp2/ChangeLog after installation for complete details of changes: https://nghttp2.org/blog/ nghttp2 v1.43.0 Feb 2nd, 2021 7:37 pm Lib This release has no changes in libnghttp2. Doc Documentations are now built with Sphinx 3.3.0 or later. Python The python binding now requires Python 3. All python scripts for nghttp2 development are translated to Python 3 compatible. nghttpx This release fixes a potential memory issue that a memory pool gets cleared while it is still in use. ECDSA certificate is now chosen when compatible signature algorithm is available. This release adds a workaround to include ':' in backend pattern. nghttp2 v1.42.0 Nov 23rd, 2020 11:40 pm Lib The UBSAN errors are now fixed. nghttp2_map is now backed by tree for storing collisions. Doc Some clarifications are made for nghttp2_session_send function. Build The missing cmake/FindSystemd.cmake has been added to the tar distribution. Third-party Bump llhttp to 2.2.0 and mruby to 2.1.2. nghttpx This release fixes the bug that nghttpx cannot deal with the case when h2 backend is retired before it is initialized. New access logging variables are added: $method, $path, $path_without_query, and $protocol_version. The bug that makes nghttpx stall when TLS follows after proxy protocol was fixed. The bug in logging negative integer is fixed. nghttp2 v1.41.0 Jun 2nd, 2020 7:13 pm This release includes security advisory. Security Advisory CVE-2020-11080: Denial of service: Overly large SETTINGS frames For more information, read the security advisory https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr Lib This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective. The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens. Build With cmake build, the hard-coded static lib suffix is now optional. nghttpx proxyprotocol v2 has been implemented. The bug in getting certificate serial number with mruby script has been fixed. h2load New option, --connect-to, is added. nghttp2 v1.40.0 Nov 15th, 2019 11:22 pm Lib New API function nghttp2_check_authority has been added. This release fixes the bug that nghttp2_on_stream_close_callback is closed with the wrong error code. HPACK huffman encoding and decoding get faster. Build With cmake build, filename collision is now avoided. New flag ENABLE_STATIC_CRT is added for Windows cmake build. Support building nghttpx with systemd has been added to cmake. Third-party nghttpx This release fixes the bug that mruby script is incorrectly shared between backends with different configurations. Now nghttpx reconnects to h1 backend if it lost connection before sending header fields. nghttpx returns 408 if backend timed out before sending header fields. The bug that makes nghttpx stall when backend connection is reused and buffer is full has been fixed. nghttp2 v1.39.2 Aug 19th, 2019 10:12 pm This release addresses following security issues. Security Advisory CVE-2019-9511: Data Dribble CVE-2019-9513: Resource Loop Vulnerability The details of advisories are described here: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md libnghttp2 itself is not affected by vulnerabilities reported above. nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513. Affected Versions Affected versions: nghttp2 version < 1.39.2 Not affected versions: nghttp2 >= 1.39.2 The Solution Upgrade to nghttp2 v1.39.2. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. nghttp2 v1.39.1 Jun 11th, 2019 11:25 pm This release fixes critical bugs in v1.39.0. nghttpx This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. nghttp2 v1.39.0 Jun 11th, 2019 10:14 pm Lib libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. Third-party mruby has been upgraded to 2.0.1. Asio libnghttp2-asio now supports boost-1.70. Src http-parser has been replaced with llhttp. nghttpx nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration. nghttp2 v1.38.0 Apr 18th, 2019 3:13 pm Lib This release fixes the bug that on_header callback is still called after stream is closed. Third-party http-parser is upgraded to v2.9.1. nghttpx This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry. It also fixes the bug that HTTP/1.1 chunked request stalls. Now nghttpx does not log authorization request header field value with -LINFO. Now nghttpx can be built with modern LibreSSL.