Updated: nghttp2, libnghttp2{_14, -devel}, {mingw64-{x86_64, i686}, python{37, 38}}-nghttp2 1.43

Cygwin nghttp2 Maintainer Brian.Inglis@SystematicSW.ab.ca
Sun May 30 06:35:11 GMT 2021 

The following packages have been upgraded in the Cygwin distribution:

* nghttp2			1.43
* libnghttp2_14			1.43
* libnghttp2-devel		1.43
* mingw64-x86_64-nghttp2	1.43
* mingw64-i686-nghttp2		1.43
* python37-nghttp2		1.43
* python38-nghttp2		1.43

and the following packages have been obsoleted and upgraded to the new ones:

* python2-nghttp2		1.43
* python27-nghttp2		1.43
* python3-nghttp2		1.43
* python36-nghttp2		1.43

HTTP/2 and its header compression algorithm HPACK implementation.
The framing layer of HTTP/2 is implemented as a reusable library.
Also included are an HTTP/2 client, server, proxy, load test and
benchmarking tool, and Python modules.

For more information see the project home page:

	https://nghttp2.org/

or the repo README:

	https://github.com/nghttp2/nghttp2#readme

Please see below or read /usr/share/doc/nghttp2/ChangeLog after installation
for complete details of changes:

	https://nghttp2.org/blog/


nghttp2 v1.43.0	Feb 2nd, 2021 7:37 pm

Lib
This release has no changes in libnghttp2.

Doc
Documentations are now built with Sphinx 3.3.0 or later.

Python
The python binding now requires Python 3.
All python scripts for nghttp2 development are translated to Python 3
compatible.

nghttpx
This release fixes a potential memory issue that a memory pool gets
cleared while it is still in use.
ECDSA certificate is now chosen when compatible signature algorithm is
available.
This release adds a workaround to include ':' in backend pattern.


nghttp2 v1.42.0	Nov 23rd, 2020 11:40 pm

Lib
The UBSAN errors are now fixed.
nghttp2_map is now backed by tree for storing collisions.

Doc
Some clarifications are made for nghttp2_session_send function.

Build
The missing cmake/FindSystemd.cmake has been added to the tar distribution.

Third-party
Bump llhttp to 2.2.0 and mruby to 2.1.2.

nghttpx
This release fixes the bug that nghttpx cannot deal with the case when
h2 backend is retired before it is initialized.
New access logging variables are added: $method, $path,
$path_without_query, and $protocol_version.
The bug that makes nghttpx stall when TLS follows after proxy protocol
was fixed.
The bug in logging negative integer is fixed.


nghttp2 v1.41.0	Jun 2nd, 2020 7:13 pm

This release includes security advisory.

Security Advisory
CVE-2020-11080: Denial of service: Overly large SETTINGS frames
For more information, read the security advisory
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Lib
This release implements nghttp2_option_set_max_settings API which sets
the maximum number of SETTINGS entries in one SETTINGS frame to mitigate
the security issue.
It also moves SETTINGS flood check earlier to make it more effective.
The bug which stalls receiving stream data is fixed. Previously, if
automatic window update is enabled (which is default), after window size
is set to 0 by nghttp2_session_set_local_window_size, once the receiving
window is exhausted, even after window size is increased by
nghttp2_session_set_local_window_size, no more data cannot be received.
This is because nghttp2_session_set_local_window_size does not submit
WINDOW_UPDATE.
It is only triggered when new data arrives but since window is filled
up, no more data cannot be received, thus dead lock happens.

Build
With cmake build, the hard-coded static lib suffix is now optional.

nghttpx
proxyprotocol v2 has been implemented.
The bug in getting certificate serial number with mruby script has been fixed.

h2load
New option, --connect-to, is added.


nghttp2 v1.40.0	Nov 15th, 2019 11:22 pm

Lib
New API function nghttp2_check_authority has been added.
This release fixes the bug that nghttp2_on_stream_close_callback is
closed with the wrong error code.
HPACK huffman encoding and decoding get faster.

Build
With cmake build, filename collision is now avoided.
New flag ENABLE_STATIC_CRT is added for Windows cmake build.
Support building nghttpx with systemd has been added to cmake.

Third-party

nghttpx
This release fixes the bug that mruby script is incorrectly shared
between backends with different configurations.
Now nghttpx reconnects to h1 backend if it lost connection before
sending header fields.
nghttpx returns 408 if backend timed out before sending header fields.
The bug that makes nghttpx stall when backend connection is reused and
buffer is full has been fixed.


nghttp2 v1.39.2	Aug 19th, 2019 10:12 pm

This release addresses following security issues.

Security Advisory

CVE-2019-9511: Data Dribble
CVE-2019-9513: Resource Loop

Vulnerability

The details of advisories are described here:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

libnghttp2 itself is not affected by vulnerabilities reported above.
nghttpx and nghttpd are subject to Denial of Service by consuming CPU
time with CVE-2019-9511 and CVE-2019-9513.

Affected Versions

Affected versions: nghttp2 version < 1.39.2
Not affected versions: nghttp2 >= 1.39.2

The Solution

Upgrade to nghttp2 v1.39.2.
For nghttpx, additionally limiting inbound traffic by --read-rate and
--read-burst options is quite effective against this kind of attack.


nghttp2 v1.39.1	Jun 11th, 2019 11:25 pm

This release fixes critical bugs in v1.39.0.

nghttpx
This release fixes the bug that log-level is not set with cmd-line or
configuration file.
It also fixes FPE with default backend.


nghttp2 v1.39.0	Jun 11th, 2019 10:14 pm

Lib
libnghttp2 now ignores content-length in 200 response to CONNECT request
as per RFC 7230.

Third-party
mruby has been upgraded to 2.0.1.

Asio
libnghttp2-asio now supports boost-1.70.

Src
http-parser has been replaced with llhttp.

nghttpx
nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200
to CONNECT.
This release fixes the bug that the log level does not change to the
default value on configuration reload if log-level option is missing in
new configuration.


nghttp2 v1.38.0	Apr 18th, 2019 3:13 pm

Lib
This release fixes the bug that on_header callback is still called after
stream is closed.

Third-party
http-parser is upgraded to v2.9.1.

nghttpx
This release fixes the bug that authority and path altered by
per-pattern mruby script can affect backend selection on retry.
It also fixes the bug that HTTP/1.1 chunked request stalls.
Now nghttpx does not log authorization request header field value with -LINFO.
Now nghttpx can be built with modern LibreSSL.

More information about the Cygwin-announce mailing list