File _patchinfo of Package patchinfo.14349

<patchinfo incident="14349">
  <issue tracker="cve" id="2019-18802"/>
  <issue tracker="bnc" id="1166481">envoy-proxy and cilium-proxy (CaaSP) need nghttp2 1.40 for their CVE-2019-18802 fix</issue>
  <issue tracker="bnc" id="1159003">VUL-0: CVE-2019-18802: cilium-proxy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure</issue>
  <packager>mrostecki</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for nghttp2</summary>
  <description>This update for nghttp2 fixes the following issues:

nghttp2 was update to version 1.40.0 (bsc#1166481)

- lib: Add nghttp2_check_authority as public API
- lib: Fix the bug that stream is closed with wrong error code
- lib: Faster huffman encoding and decoding
- build: Avoid filename collision of static and dynamic lib
- build: Add new flag ENABLE_STATIC_CRT for Windows
- build: cmake: Support building nghttpx with systemd
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends
- nghttpx: Reconnect h1 backend if it lost connection before sending headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stal

</description>
</patchinfo>
openSUSE Build Service is sponsored by