Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86

public inbox for cygwin-announce@cygwin.com
 help / color / mirror / Atom feed

* Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86_64-nghttp2 1.61
@ 2024-04-07  4:50 Cygwin nghttp2 Maintainer
  0 siblings, 0 replies; only message in thread
From: Cygwin nghttp2 Maintainer @ 2024-04-07  4:50 UTC (permalink / raw)
  To: Cygwin Announcements

The following packages have been upgraded in the Cygwin distribution:

* nghttp2			1.61
* libnghttp2-devel		1.61
* libnghttp2_14			1.61
* mingw64-x86_64-nghttp2	1.61

HTTP/2 and its header compression algorithm HPACK implementation.
The framing layer of HTTP/2 is implemented as a reusable library.
Also included are an HTTP/2 client, server, proxy, load test and
benchmarking tool.

For more information see the project home page:

	https://nghttp2.org/

or the repo README:

	https://github.com/nghttp2/nghttp2#readme

See link or text below for recent changes; after installation for
complete details of changes read /usr/share/doc/nghttp2/ChangeLog.

	https://nghttp2.org/blog/

NOTE

Support for previously deprecated Python bindings, modules,
and documentation was dropped some releases ago.

2024-04-04	1.61.0

Security Advisory

CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames
causes excessive CPU usage

nghttp2 library keeps reading an unbounded number of HTTP/2
CONTINUATION frames even after a stream is reset to keep HPACK context
in sync.
This causes excessive CPU usage to decode HPACK stream.

See also https://www.kb.cert.org/vuls/id/421644

nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of
CONTINUATION frames it can accept after a HEADERS frame.
The default limits the number of CONTINUATION frames after a HEADERS
frame to 8.
The limit is also now configurable.

h2load

Allow host header to be overridden

nghttp

Support SSLKEYLOGFILE

nghttpd

Fix read stall

nghttpx

Faster worker lookup
Header idle timeout
Allocate 3 bits for QUIC configuration in Connection ID
Discard UDP datagram that is too short to be a valid QUIC packet
Drop a UDP datagram from well-known port
Fix error message
Fix frontend-header-timeout does not work in config file
Fix port byte order
Migrate to ares_getaddrinfo
More QUIC prohibited ports
Rework Connection ID construction
Rework QUIC stateless reset packet size
Shutdown h3 stream read with trailer as well
Simplify quic connection close handling
Split thread into worker_process and thread

lib

Add actions/stale
Automate release process
Further reduce Stateless reset emission
No rfc7540 priorities fix
Rewrite hexdump

build

autotools: Switch to tar-pax
autotools: Use tar-ustar automake option
cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON
Respect BUILD_STATIC_LIBS and add option for tests

third-party

bpf: Drop bad QUIC packet
Bump munit
Bump ngtcp2
Bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0
Bump golang.org/x/net from 0.21.0 to 0.22.0
Checkout with submodules
docker: Use copy --link
docker: Switch to distroless/base-nossl
Workaround llvm issue on github ubuntu runner

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-04-07  4:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-07  4:50 Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86_64-nghttp2 1.61 Cygwin nghttp2 Maintainer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).