Overview Repositories Revisions Requests Users Attributes Meta

Revisions of nghttp2

Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1159004 from Martin Pluskal's avatar Martin Pluskal (pluskalm) (revision 80) 
- Update keyring with current key 

- version update to 1.60.0
  * makerelease.sh: Speed up git submodule
  * Speed up git clone
  * build(deps): bump actions/cache from 3 to 4
  * Fixing the build and install trees
  * build(deps): bump microsoft/setup-msbuild from 1 to 2
  * nghttpx: Set ocsp response to SSL in case of boringssl
  * Run with python3
  * src: Certificate Compression with boringssl
  * Fix missing newline
  * Switch to aws lc
  * Libbrotli fixup
  * Deprecate RFC 7540 priorities (aka stream dependencies)
  * Let dependabot manage go modules
  * build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
  * integration-tests: Omit unused parameters
  * Munit
  * Introduce nghttp2_ssize API
  * Move deprecated warning upfront
  * Describe RFC 7540 priorities deprecation plan
  * Apps migrate nghttp2 ssize
  * src: Remove unused functions
  * Reconsider ssize t usage in src
  * Use GitHub private vulnerability reporting
  * Move security policy to GitHub standard location
  * Bump mruby to 3.3.0
  * Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663
  * h2load: Add --sni option
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1127896 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 77) 
- fix unversioned provides to be in sync with nghttp3
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1123980 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 76) 
- add keyring for gpg validation
- spec file cleanups

    For example, if GOAWAY frame has been received, a
  * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
  checking leading and trailing white spaces against HTTP field value.
  * https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
  * third-party: Bump neverbleed based on the latest head (GH-1708)
  * see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
  * see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
  * nghttpx: Fix logging integer
- Conditionally remove dependecy on jemalloc for SLE-12
    if table size is changed from default
  * Add nghttp2_option_set_max_send_header_block_length API
  * Fix warning: declaration of 'free' shadows a global declaration
  * nghttpx: Add healthmon parameter to -f option to enable health
  * nghttpx: Add --api-max-request-body option to set maximum API
  * nghttpx: Add api parameter to --frontend option to mark API
  * h2load: Add content-length header field for HTTP/2 and SPDY as
  * Run error callback when peer does not send initial SETTINGS
  * nghttpx: Fix bug that server push from mruby script did not
  * nghttpx: Try next HTTP/1 backend address when connection
  * nghttpx: Retry next HTTP/2 backend address when connection
  * nghttpx: Enable link header field based push for non-final
  * nghttpx: Fix bug that logger wrote string which was not
  * nghttpx: Fix bug that backend tls keyword did not work with -s
  * lib: Add nghttp2_error_callback to tell application human
  * lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
  * integration: Disable tests that sometimes break randomly on
  * h2load: Fix bug that initial max concurrent streams was too
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1099190 from Martin Pluskal's avatar Martin Pluskal (pluskalm) (revision 74) 
- update to 1.55.1:
  * Fix memory leak
    This commit fixes memory leak that happens when
    PUSH_PROMISE or HEADERS frame cannot be sent, and
    nghttp2_on_stream_close_callback fails with a fatal error.
    For example, if GOAWAY frame has been received, a 
    HEADERS frame that opens new stream cannot be sent.
    This issue has already been made public via CVE-2023-35945
    by envoyproxy/envoy project.  During embargo period, the
    patch to fix this bug was accidentally submitted to
    nghttp2/nghttp2 repository [2]. And they decided to
    disclose CVE early.  I was notified just 1.5 hours
    before disclosure.  I had no time to respond.
    PoC described in [1] is quite simple, but I think it is
    not enough to trigger this bug.  While it is true that
    receiving GOAWAY prevents a client from opening new stream,
    and nghttp2 enters error handling branch, in order to cause
    the memory leak, nghttp2_session_close_stream function
    must return a fatal error.
    NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
    memory.  It is unlikely that a process gets short of
    memory with this simple PoC scenario unless application
    does something memory heavy processing.
  * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
    defined callback function (nghttp2_on_stream_close_callback, in
    this case), which indicates something fatal happened inside a
    callback, and a connection must be closed immediately without
    any further action.  As nghttp2_on_stream_close_error_callback
    documentation says, any error code other than 0 or
    NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1087728 from Martin Pluskal's avatar Martin Pluskal (pluskalm) (revision 72) 
 Update to version 1.53.0:
  * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
Displaying revisions 1 - 20 of 81
openSUSE Build Service is sponsored by
Places