Revisions of nghttp2
Dominique Leuenberger (dimstar_suse)
accepted
request 1159004
from
Martin Pluskal (pluskalm)
(revision 80)
- Update keyring with current key - version update to 1.60.0 * makerelease.sh: Speed up git submodule * Speed up git clone * build(deps): bump actions/cache from 3 to 4 * Fixing the build and install trees * build(deps): bump microsoft/setup-msbuild from 1 to 2 * nghttpx: Set ocsp response to SSL in case of boringssl * Run with python3 * src: Certificate Compression with boringssl * Fix missing newline * Switch to aws lc * Libbrotli fixup * Deprecate RFC 7540 priorities (aka stream dependencies) * Let dependabot manage go modules * build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 * integration-tests: Omit unused parameters * Munit * Introduce nghttp2_ssize API * Move deprecated warning upfront * Describe RFC 7540 priorities deprecation plan * Apps migrate nghttp2 ssize * src: Remove unused functions * Reconsider ssize t usage in src * Use GitHub private vulnerability reporting * Move security policy to GitHub standard location * Bump mruby to 3.3.0 * Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663 * h2load: Add --sni option
Ana Guerrero (anag+factory)
accepted
request 1127896
from
Dirk Mueller (dirkmueller)
(revision 77)
- fix unversioned provides to be in sync with nghttp3
Ana Guerrero (anag+factory)
accepted
request 1123980
from
Dirk Mueller (dirkmueller)
(revision 76)
- add keyring for gpg validation - spec file cleanups For example, if GOAWAY frame has been received, a * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/ checking leading and trailing white spaces against HTTP field value. * https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/ * third-party: Bump neverbleed based on the latest head (GH-1708) * see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/ * see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/ * nghttpx: Fix logging integer - Conditionally remove dependecy on jemalloc for SLE-12 if table size is changed from default * Add nghttp2_option_set_max_send_header_block_length API * Fix warning: declaration of 'free' shadows a global declaration * nghttpx: Add healthmon parameter to -f option to enable health * nghttpx: Add --api-max-request-body option to set maximum API * nghttpx: Add api parameter to --frontend option to mark API * h2load: Add content-length header field for HTTP/2 and SPDY as * Run error callback when peer does not send initial SETTINGS * nghttpx: Fix bug that server push from mruby script did not * nghttpx: Try next HTTP/1 backend address when connection * nghttpx: Retry next HTTP/2 backend address when connection * nghttpx: Enable link header field based push for non-final * nghttpx: Fix bug that logger wrote string which was not * nghttpx: Fix bug that backend tls keyword did not work with -s * lib: Add nghttp2_error_callback to tell application human * lib: Add nghttp2_http2_strerror() to return HTTP/2 error code * integration: Disable tests that sometimes break randomly on * h2load: Fix bug that initial max concurrent streams was too
Ana Guerrero (anag+factory)
accepted
request 1099190
from
Martin Pluskal (pluskalm)
(revision 74)
- update to 1.55.1: * Fix memory leak This commit fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. This issue has already been made public via CVE-2023-35945 by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository [2]. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond. PoC described in [1] is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing. * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
Dominique Leuenberger (dimstar_suse)
accepted
request 1094238
from
Martin Pluskal (pluskalm)
(revision 73)
Dominique Leuenberger (dimstar_suse)
accepted
request 1087728
from
Martin Pluskal (pluskalm)
(revision 72)
Update to version 1.53.0: * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
Dominique Leuenberger (dimstar_suse)
accepted
request 1079718
from
Martin Pluskal (pluskalm)
(revision 71)
Dominique Leuenberger (dimstar_suse)
accepted
request 1037477
from
Martin Pluskal (pluskalm)
(revision 70)
Dominique Leuenberger (dimstar_suse)
accepted
request 998783
from
Martin Pluskal (pluskalm)
(revision 68)
Dominique Leuenberger (dimstar_suse)
accepted
request 988699
from
Martin Pluskal (pluskalm)
(revision 67)
Dominique Leuenberger (dimstar_suse)
accepted
request 963481
from
Martin Pluskal (pluskalm)
(revision 66)
Dominique Leuenberger (dimstar_suse)
accepted
request 941803
from
Martin Pluskal (pluskalm)
(revision 65)
Dominique Leuenberger (dimstar_suse)
accepted
request 869212
from
Martin Pluskal (pluskalm)
(revision 64)
Dominique Leuenberger (dimstar_suse)
accepted
request 860739
from
Martin Pluskal (pluskalm)
(revision 63)
Dominique Leuenberger (dimstar_suse)
accepted
request 811142
from
Tomáš Chvátal (scarabeus_iv)
(revision 62)
Displaying revisions 1 - 20 of 81