Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86_64-nghttp2 1.61

["Cygwin nghttp2 Maintainer" <Brian.Inglis@SystematicSW.ab.ca>]

The following packages have been upgraded in the Cygwin distribution:

* nghttp2			1.61
* libnghttp2-devel		1.61
* libnghttp2_14			1.61
* mingw64-x86_64-nghttp2	1.61

HTTP/2 and its header compression algorithm HPACK implementation.
The framing layer of HTTP/2 is implemented as a reusable library.
Also included are an HTTP/2 client, server, proxy, load test and
benchmarking tool.

For more information see the project home page:

	https://nghttp2.org/

or the repo README:

	https://github.com/nghttp2/nghttp2#readme

See link or text below for recent changes; after installation for
complete details of changes read /usr/share/doc/nghttp2/ChangeLog.

	https://nghttp2.org/blog/

NOTE

Support for previously deprecated Python bindings, modules,
and documentation was dropped some releases ago.


2024-04-04	1.61.0

Security Advisory

CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames
causes excessive CPU usage

nghttp2 library keeps reading an unbounded number of HTTP/2
CONTINUATION frames even after a stream is reset to keep HPACK context
in sync.
This causes excessive CPU usage to decode HPACK stream.

See also https://www.kb.cert.org/vuls/id/421644

nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of
CONTINUATION frames it can accept after a HEADERS frame.
The default limits the number of CONTINUATION frames after a HEADERS
frame to 8.
The limit is also now configurable.


h2load

Allow host header to be overridden


nghttp

Support SSLKEYLOGFILE


nghttpd

Fix read stall


nghttpx

Faster worker lookup
Header idle timeout
Allocate 3 bits for QUIC configuration in Connection ID
Discard UDP datagram that is too short to be a valid QUIC packet
Drop a UDP datagram from well-known port
Fix error message
Fix frontend-header-timeout does not work in config file
Fix port byte order
Migrate to ares_getaddrinfo
More QUIC prohibited ports
Rework Connection ID construction
Rework QUIC stateless reset packet size
Shutdown h3 stream read with trailer as well
Simplify quic connection close handling
Split thread into worker_process and thread


lib

Add actions/stale
Automate release process
Further reduce Stateless reset emission
No rfc7540 priorities fix
Rewrite hexdump


build

autotools: Switch to tar-pax
autotools: Use tar-ustar automake option
cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON
Respect BUILD_STATIC_LIBS and add option for tests


third-party

bpf: Drop bad QUIC packet
Bump munit
Bump ngtcp2
Bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0
Bump golang.org/x/net from 0.21.0 to 0.22.0
Checkout with submodules
docker: Use copy --link
docker: Switch to distroless/base-nossl
Workaround llvm issue on github ubuntu runner