File _patchinfo of Package patchinfo.14349
<patchinfo incident="14349">
<issue tracker="cve" id="2019-18802"/>
<issue tracker="bnc" id="1166481">envoy-proxy and cilium-proxy (CaaSP) need nghttp2 1.40 for their CVE-2019-18802 fix</issue>
<issue tracker="bnc" id="1159003">VUL-0: CVE-2019-18802: cilium-proxy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure</issue>
<packager>mrostecki</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for nghttp2</summary>
<description>This update for nghttp2 fixes the following issues:
nghttp2 was update to version 1.40.0 (bsc#1166481)
- lib: Add nghttp2_check_authority as public API
- lib: Fix the bug that stream is closed with wrong error code
- lib: Faster huffman encoding and decoding
- build: Avoid filename collision of static and dynamic lib
- build: Add new flag ENABLE_STATIC_CRT for Windows
- build: cmake: Support building nghttpx with systemd
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends
- nghttpx: Reconnect h1 backend if it lost connection before sending headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stal
</description>
</patchinfo>