* Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86_64-nghttp2 1.61
@ 2024-04-07 4:50 Cygwin nghttp2 Maintainer
0 siblings, 0 replies; only message in thread
From: Cygwin nghttp2 Maintainer @ 2024-04-07 4:50 UTC (permalink / raw)
To: Cygwin Announcements
The following packages have been upgraded in the Cygwin distribution:
* nghttp2 1.61
* libnghttp2-devel 1.61
* libnghttp2_14 1.61
* mingw64-x86_64-nghttp2 1.61
HTTP/2 and its header compression algorithm HPACK implementation.
The framing layer of HTTP/2 is implemented as a reusable library.
Also included are an HTTP/2 client, server, proxy, load test and
benchmarking tool.
For more information see the project home page:
https://nghttp2.org/
or the repo README:
https://github.com/nghttp2/nghttp2#readme
See link or text below for recent changes; after installation for
complete details of changes read /usr/share/doc/nghttp2/ChangeLog.
https://nghttp2.org/blog/
NOTE
Support for previously deprecated Python bindings, modules,
and documentation was dropped some releases ago.
2024-04-04 1.61.0
Security Advisory
CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames
causes excessive CPU usage
nghttp2 library keeps reading an unbounded number of HTTP/2
CONTINUATION frames even after a stream is reset to keep HPACK context
in sync.
This causes excessive CPU usage to decode HPACK stream.
See also https://www.kb.cert.org/vuls/id/421644
nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of
CONTINUATION frames it can accept after a HEADERS frame.
The default limits the number of CONTINUATION frames after a HEADERS
frame to 8.
The limit is also now configurable.
h2load
Allow host header to be overridden
nghttp
Support SSLKEYLOGFILE
nghttpd
Fix read stall
nghttpx
Faster worker lookup
Header idle timeout
Allocate 3 bits for QUIC configuration in Connection ID
Discard UDP datagram that is too short to be a valid QUIC packet
Drop a UDP datagram from well-known port
Fix error message
Fix frontend-header-timeout does not work in config file
Fix port byte order
Migrate to ares_getaddrinfo
More QUIC prohibited ports
Rework Connection ID construction
Rework QUIC stateless reset packet size
Shutdown h3 stream read with trailer as well
Simplify quic connection close handling
Split thread into worker_process and thread
lib
Add actions/stale
Automate release process
Further reduce Stateless reset emission
No rfc7540 priorities fix
Rewrite hexdump
build
autotools: Switch to tar-pax
autotools: Use tar-ustar automake option
cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON
Respect BUILD_STATIC_LIBS and add option for tests
third-party
bpf: Drop bad QUIC packet
Bump munit
Bump ngtcp2
Bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0
Bump golang.org/x/net from 0.21.0 to 0.22.0
Checkout with submodules
docker: Use copy --link
docker: Switch to distroless/base-nossl
Workaround llvm issue on github ubuntu runner
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-04-07 4:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-07 4:50 Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86_64-nghttp2 1.61 Cygwin nghttp2 Maintainer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).