From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) by sourceware.org (Postfix) with ESMTPS id E2BB23858C62 for ; Fri, 13 Oct 2023 22:28:40 +0000 (GMT) ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E2BB23858C62 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=3.97.99.32 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697236126; cv=none; b=CirxDUnovHqMq6l1HLcrzcQyE5jN75RyG0cAvu717O6CUwDhevs/m5qnmJsQdgKKh9Vx0L8otORlqQxhkify48Cx9MDXEq8blldwXbSlzvE7L6OeoheZBUZrREo2cXGEi8XjAdeMSupggSR3Crsu5FIJXmZUOFLCu8ZQsEqC6EU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697236126; c=relaxed/simple; bh=ht7LOKTh0qE1DJRG+P/zWrJR/aA+QUe2yh9vtpmqI3I=; h=DKIM-Signature:From:To:Date:Message-Id:Subject; b=mVI+pfVpU6dNi/Q4Fc+gQjoK2fevDBHnoPJwnljWkCpZk6SQiDQ491XA4dybrUcSGESuaXoJ5UmRPiCo54MZsKiMwLwQn/Zik5niCxep1XUphUnTVVtJPcq2QRZQH91LXKzTa8fBbiXhBgqVQjm5l3Ju+4I4xy+IAGQPjqB8/1g= ARC-Authentication-Results: i=1; server2.sourceware.org DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E2BB23858C62 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=Shaw.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=shaw.ca Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id rGfmqovR8mfesrQe8qmBnx; Fri, 13 Oct 2023 22:28:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=shaw.ca; s=s20180605; t=1697236120; bh=ht7LOKTh0qE1DJRG+P/zWrJR/aA+QUe2yh9vtpmqI3I=; h=From:To:Reply-To:Date:Subject; b=hdytozPo9aWCE8oa8C7W7ZGyncoFGBVwHCLbB+OKJ83Pn7ASFb08eK1I5yPf/wfbQ ubb3Uo2LQyO2S7/2noHuComESRkjVzF+l07shKNDx3i2KyvTh1MXNwfRaaS75eRCxL OHDGaSYEsEN1Eqj+gWtZ6EdKePqAJzvyLKYsXDQlZc9e6lL8eGTzJGipt+lJHFUHoc wqVJqjAecp7xYABAKNlQkW/72FqCtRYDsaby6kiHvh/Q83oeLqubGPuBRZ2mIc5nJz laRqx8jcxX4FzcbQ8FrnE2sAph3bUI/gQmRFWdETVvyJM0zXRaXdb3jvR/q6kjG6D1 O+FcBcFXPH5MA== Received: from localhost.localdomain ([184.64.102.149]) by cmsmtp with ESMTP id rQe7qrNW2ailArQe7qcIyK; Fri, 13 Oct 2023 22:28:40 +0000 X-Authority-Analysis: v=2.4 cv=M75elg8s c=1 sm=1 tr=0 ts=6529c498 a=DxHlV3/gbUaP7LOF0QAmaA==:117 a=DxHlV3/gbUaP7LOF0QAmaA==:17 a=X-QBuKCoAAAA:8 a=NEAV23lmAAAA:8 a=hXOhBxV34VPRJLms4jkA:9 a=vbxwTe1tunHIfGfxEBYx:22 From: "Cygwin nghttp2 Maintainer" To: "Cygwin Announcements" Reply-To: "Cygwin" Date: Fri, 13 Oct 2023 16:27:16 -0600 Message-Id: <20231013162716.25990-1-Brian.Inglis@Shaw.ca> Subject: Updated: mingw64-x86_64-/nghttp2 libnghttp2_14/-devel 1.57 X-CMAE-Envelope: MS4xfHiMQls0vNaGiMqNT3JOUDMyOM+7yKrdlOWmswzbwPhFL15JFZusGxWbZLBtRO9rRdgClpNJJ6zkjomOQbEFrjx0snxYXCnjganZ+wV3Ty+z3o4OUdev cX1z5lM4hiw44KNulfwrDNJcDKkRb4II3ljk7KvUmhlLnm9qAXpUMOjsVgMeYSRXO/O9JWPhG3fMrMMZg9RK/FLlJqSIcItaj24= X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: The following packages have been upgraded in the Cygwin distribution: * nghttp2 1.57 * libnghttp2_14 1.57 * libnghttp2-devel 1.57 * mingw64-x86_64-nghttp2 1.57 HTTP/2 and its header compression algorithm HPACK implementation. The framing layer of HTTP/2 is implemented as a reusable library. Also included are an HTTP/2 client, server, proxy, load test and benchmarking tool. NOTE: Support for previously deprecated Python bindings, modules, and documentation was dropped some releases ago. For more information see the project home page: https://nghttp2.org/ or the repo README: https://github.com/nghttp2/nghttp2#readme See link or text below for recent changes; after installation for complete details of changes read /usr/share/doc/nghttp2/ChangeLog. https://nghttp2.org/blog/ 2023-10-10 1.57.0 Security Advisory CVE-2023-44487 HTTP/2 Rapid Reset For more information, read the security advisory: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg lib This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has reasonable amount of default budgets for incoming RST_STREAM frames. Application can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It can also implement its own rate limit by implementing nghttp2_on_frame_recv_callback and check RST_STREAM frame. nghttpx This release fixes the bug that --single-process does not work. It also fixes the bug that TLS connection is not rate limited.