From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by sourceware.org (Postfix) with ESMTPS id 032CB3858C32 for ; Sun, 7 Apr 2024 04:52:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 032CB3858C32 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSW.ab.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=SystematicSW.ab.ca ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 032CB3858C32 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=216.40.44.12 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712465544; cv=none; b=NNear5TVw1X1XMjMaktHOLIUhdsSnH7bjuI4pN8mZLiYI6FxdVWSDbiIaTPpCJT+NkkoHVuVLms8qUlvQQtkTzxwsVY9Vm70/jFLrdkM5X+5EjncOGsXsTQEgfs8Xajv3uS8L6Ban2tSlYzFRQwkQptlSwJTeUebAqkucviOadc= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712465544; c=relaxed/simple; bh=a4QPksscqzaQC9O9daIF7L2UHWplNcSTUUpIhcF2uhc=; h=From:To:Date:Message-Id:Subject; b=iarQoFh742ixsJiBzEbpcQjriD5hAuS5/AZhCMSBJessydlSs7/8JO0rAVU+x3KJVTkkT/Z/gZjtT62Ys4U+Pqm/54cxQWsqD4xKo6VapazWOkbilS1G0q3RvkORvymPA0SauM/LGeNvesb6hBxAxA3rZyT1083WI7d9mzaPD3o= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from omf06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 8DE6F1A07FB for ; Sun, 7 Apr 2024 04:52:22 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: Brian.Inglis@SystematicSW.ab.ca) by omf06.hostedemail.com (Postfix) with ESMTPA id 714F22000E for ; Sun, 7 Apr 2024 04:52:21 +0000 (UTC) From: "Cygwin nghttp2 Maintainer" To: "Cygwin Announcements" Reply-To: "Cygwin" Date: Sat, 06 Apr 2024 22:50:30 -0600 Message-Id: <20240406225030.56203-1-Brian.Inglis@SystematicSW.ab.ca> Subject: Updated: nghttp2, libnghttp2-devel/_14 mingw64-x86_64-nghttp2 1.61 X-Rspamd-Queue-Id: 714F22000E X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_NUMSUBJECT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Stat-Signature: jnsdi8n4jr4jsc431571dxw6ymzu3akk X-Rspamd-Server: rspamout01 X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1/tpVHw7lrfi3VfOdolcukI14gwyS8sEII= X-HE-Tag: 1712465541-718733 X-HE-Meta: U2FsdGVkX18ezF7lLpzrzLo8ClTSnS13JabbwC+Q/fiKkgFFo0DOoeFRcK+JFautSEt/LGeU02eNBzcDugqKJbpl8xFQ47BIQQ1OM3bRtRMgRNMjXjov0YL6rZwsmeqGgxPD2gxHgt8hE9bw8FqfAX4TfjFF/uyJTO+JzcO6kQyXryv8pYN5bOpjLHzDD7wbtY0jsMNBb0SO4M4UolUGG/QjkX4phPyquOGJlVxu45bk03tawTDhWBOa9lZ7JzQp7Ll+Ptwc6lOLRuJQPRyWGboXHOC/7aUeW4pWuXLdLYoBPhVVFvlSQX7nUeEVSkiKEczDGnXab5i9NULLJNgkcG/mQQTcCNL8LAHf6U6OV+vv5KMhFQj9AP4ZPCJRIGp6gBmm4OmGITTFz/M64zJ7uxFjBjmSTt+vJbiFlRCxcwA0k7iONSM/x/WVrrPH9/rP7uKn2VoOqaHJaudNFu0Ucmot5LICKdA9 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: The following packages have been upgraded in the Cygwin distribution: * nghttp2 1.61 * libnghttp2-devel 1.61 * libnghttp2_14 1.61 * mingw64-x86_64-nghttp2 1.61 HTTP/2 and its header compression algorithm HPACK implementation. The framing layer of HTTP/2 is implemented as a reusable library. Also included are an HTTP/2 client, server, proxy, load test and benchmarking tool. For more information see the project home page: https://nghttp2.org/ or the repo README: https://github.com/nghttp2/nghttp2#readme See link or text below for recent changes; after installation for complete details of changes read /usr/share/doc/nghttp2/ChangeLog. https://nghttp2.org/blog/ NOTE Support for previously deprecated Python bindings, modules, and documentation was dropped some releases ago. 2024-04-04 1.61.0 Security Advisory CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames causes excessive CPU usage nghttp2 library keeps reading an unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. See also https://www.kb.cert.org/vuls/id/421644 nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it can accept after a HEADERS frame. The default limits the number of CONTINUATION frames after a HEADERS frame to 8. The limit is also now configurable. h2load Allow host header to be overridden nghttp Support SSLKEYLOGFILE nghttpd Fix read stall nghttpx Faster worker lookup Header idle timeout Allocate 3 bits for QUIC configuration in Connection ID Discard UDP datagram that is too short to be a valid QUIC packet Drop a UDP datagram from well-known port Fix error message Fix frontend-header-timeout does not work in config file Fix port byte order Migrate to ares_getaddrinfo More QUIC prohibited ports Rework Connection ID construction Rework QUIC stateless reset packet size Shutdown h3 stream read with trailer as well Simplify quic connection close handling Split thread into worker_process and thread lib Add actions/stale Automate release process Further reduce Stateless reset emission No rfc7540 priorities fix Rewrite hexdump build autotools: Switch to tar-pax autotools: Use tar-ustar automake option cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON Respect BUILD_STATIC_LIBS and add option for tests third-party bpf: Drop bad QUIC packet Bump munit Bump ngtcp2 Bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 Bump golang.org/x/net from 0.21.0 to 0.22.0 Checkout with submodules docker: Use copy --link docker: Switch to distroless/base-nossl Workaround llvm issue on github ubuntu runner