Sync from SUSE:SLFO:Main nghttp2 revision d521df2e29062fab3a277490a9d80d86

2024-12-13 10:44:16 +01:00 · 2024-12-13 10:44:16 +01:00 · 188bf2eb44
commit 188bf2eb44
parent 05bc9efd8d
10 changed files with 617 additions and 593 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,2 +1 @@
 libnghttp2-14
 libnghttp2_asio1
--- a/nghttp2-1.52.0.tar.xz
+++ b/nghttp2-1.52.0.tar.xz
--- a/nghttp2-1.64.0.tar.xz
+++ b/nghttp2-1.64.0.tar.xz
--- a/nghttp2-1.64.0.tar.xz.asc
+++ b/nghttp2-1.64.0.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEUWtiKRjRXEeKseo6UzmivoLgfewFAmcWQzsACgkQUzmivoLg
 fexT6w/9Eo6PuvGWcYn0e8CbTHDi+BhyCs3AQHPKmuJi19yIeknZd7qcQE1xYryJ
 Xef5W1q5+p06kDgFH56Y7wORwCWmtzx5gZLVYNY7qNCCJ0CsMLI2/ypf2L06MLWe
 c8dS8DFsvqrSTe3QzPHCP+T7FDp7bfH7gKLoEobhU9v299MseLMUdw06fBTLGqKs
 KWhuQ0gD2r1zJfGdX+O5zf97pLYtR/Ch+YGHqcNYCmiIguKpZX+Vg3pHr1vJhqnT
 P6LiFVeokI6zeW1YWB0DQNBrGXEx3AZWzR9d9IlA2ijobtItc/lTTUn0zpmqNFiv
 E95D29wEQ2MtbCJd/nolIz0YiDn0JpwHBBfkWRNLj7+LqBlebyVwig8nMO453sE9
 vxklm7yONLJDDiU3o8lmUf8IVTX+FpZ3nbbeQkDwTPKU7hvcTojasPMegS4Laiok
 sfKIKaMTeYokSD4M++ikyb8c2+Vt4genVIyeUAohlSUhUr4I8E/O36JvfPaA4nTe
 S2oNl5iv/0pPQpuXTMcf/MGR3b8HmN0bH4tkowV3sRWLNHeBn6hnlY1sq1ZcegMs
 vAqum1CyReyhLfThvXAV7ImjsplNVmshQK4IaXNDYYJyr/wNAgnw41RiO01W+NgX
 KbPvx4H1actquW04yYCAAvDcBHfERM71Ye17oTFjoOEeDoQsMJg=
 =aykV
 -----END PGP SIGNATURE-----
--- a/nghttp2-CVE-2023-35945.patch
+++ b/nghttp2-CVE-2023-35945.patch
@ -1,143 +0,0 @@
 From ce385d3f55a4b76da976b3bdf71fe2deddf315ba Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Fri, 14 Jul 2023 20:52:03 +0900
 Subject: [PATCH] Fix memory leak
 This commit fixes memory leak that happens when PUSH_PROMISE or
 HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
 fails with a fatal error.  For example, if GOAWAY frame has been
 received, a HEADERS frame that opens new stream cannot be sent.
 This issue has already been made public via CVE-2023-35945 [1] issued
 by envoyproxy/envoy project.  During embargo period, the patch to fix
 this bug was accidentally submitted to nghttp2/nghttp2 repository [2].
 And they decided to disclose CVE early.  I was notified just 1.5 hours
 before disclosure.  I had no time to respond.
 PoC described in [1] is quite simple, but I think it is not enough to
 trigger this bug.  While it is true that receiving GOAWAY prevents a
 client from opening new stream, and nghttp2 enters error handling
 branch, in order to cause the memory leak,
 nghttp2_session_close_stream function must return a fatal error.
 nghttp2 defines 2 fatal error codes:
 - NGHTTP2_ERR_NOMEM
 - NGHTTP2_ERR_CALLBACK_FAILURE
 NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory.  It
 is unlikely that a process gets short of memory with this simple PoC
 scenario unless application does something memory heavy processing.
 NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined
 callback function (nghttp2_on_stream_close_callback, in this case),
 which indicates something fatal happened inside a callback, and a
 connection must be closed immediately without any further action.  As
 nghttp2_on_stream_close_error_callback documentation says, any error
 code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
 error code.  More specifically, it is treated as if
 NGHTTP2_ERR_CALLBACK_FAILURE is returned.  I guess that envoy returns
 NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated
 into NGHTTP2_ERR_CALLBACK_FAILURE.
 [1] https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
 [2] https://github.com/nghttp2/nghttp2/pull/1929
 ---
 lib/nghttp2_session.c        | 10 +++++-----
 tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 5 deletions(-)
 Index: nghttp2-1.52.0/lib/nghttp2_session.c
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_session.c
 +++ nghttp2-1.52.0/lib/nghttp2_session.c
@@ -3300,6 +3300,7 @@ static ssize_t nghttp2_session_mem_send_
       if (rv < 0) {
         int32_t opened_stream_id = 0;
         uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
 +        int rv2 = 0;
         DEBUGF("send: frame preparation failed with %s\n",
                nghttp2_strerror(rv));
@@ -3342,19 +3343,18 @@ static ssize_t nghttp2_session_mem_send_
         }
         if (opened_stream_id) {
           /* careful not to override rv */
 -          int rv2;
           rv2 = nghttp2_session_close_stream(session, opened_stream_id,
                                              error_code);
 -
 -          if (nghttp2_is_fatal(rv2)) {
 -            return rv2;
 -          }
         }
         nghttp2_outbound_item_free(item, mem);
         nghttp2_mem_free(mem, item);
         active_outbound_item_reset(aob, mem);
 +        if (nghttp2_is_fatal(rv2)) {
 +          return rv2;
 +        }
 +
         if (rv == NGHTTP2_ERR_HEADER_COMP) {
           /* If header compression error occurred, should terminiate
              connection. */
 Index: nghttp2-1.52.0/tests/nghttp2_session_test.c
 ===================================================================
 --- nghttp2-1.52.0.orig/tests/nghttp2_session_test.c
 +++ nghttp2-1.52.0/tests/nghttp2_session_test.c
@@ -585,6 +585,15 @@ static int on_stream_close_callback(nght
   return 0;
 }
 +static int fatal_error_on_stream_close_callback(nghttp2_session *session,
 +                                                int32_t stream_id,
 +                                                uint32_t error_code,
 +                                                void *user_data) {
 +  on_stream_close_callback(session, stream_id, error_code, user_data);
 +
 +  return NGHTTP2_ERR_CALLBACK_FAILURE;
 +}
 +
 static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf,
                                        size_t len, const nghttp2_frame *frame,
                                        void *user_data) {
@@ -4297,6 +4306,8 @@ void test_nghttp2_session_on_goaway_rece
   nghttp2_frame frame;
   int i;
   nghttp2_mem *mem;
 +  const uint8_t *data;
 +  ssize_t datalen;
   mem = nghttp2_mem_default();
   user_data.frame_recv_cb_called = 0;
@@ -4338,6 +4349,29 @@ void test_nghttp2_session_on_goaway_rece
   nghttp2_frame_goaway_free(&frame.goaway, mem);
   nghttp2_session_del(session);
 +
 +  /* Make sure that no memory leak when stream_close callback fails
 +     with a fatal error */
 +  memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
 +  callbacks.on_stream_close_callback = fatal_error_on_stream_close_callback;
 +
 +  memset(&user_data, 0, sizeof(user_data));
 +
 +  nghttp2_session_client_new(&session, &callbacks, &user_data);
 +
 +  nghttp2_frame_goaway_init(&frame.goaway, 0, NGHTTP2_NO_ERROR, NULL, 0);
 +
 +  CU_ASSERT(0 == nghttp2_session_on_goaway_received(session, &frame));
 +
 +  nghttp2_submit_request(session, NULL, reqnv, ARRLEN(reqnv), NULL, NULL);
 +
 +  datalen = nghttp2_session_mem_send(session, &data);
 +
 +  CU_ASSERT(NGHTTP2_ERR_CALLBACK_FAILURE == datalen);
 +  CU_ASSERT(1 == user_data.stream_close_cb_called);
 +
 +  nghttp2_frame_goaway_free(&frame.goaway, mem);
 +  nghttp2_session_del(session);
 }
 void test_nghttp2_session_on_window_update_received(void) {
--- a/nghttp2-CVE-2024-28182-1.patch
+++ b/nghttp2-CVE-2024-28182-1.patch
@ -1,103 +0,0 @@
 From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sat, 9 Mar 2024 16:26:42 +0900
 Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
 ---
 lib/includes/nghttp2/nghttp2.h |  7 ++++++-
 lib/nghttp2_helper.c           |  2 ++
 lib/nghttp2_session.c          |  7 +++++++
 lib/nghttp2_session.h          | 10 ++++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)
 Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h
 +++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
    * exhaustion on server side to send these frames forever and does
    * not read network.
    */
 -  NGHTTP2_ERR_FLOODED = -904
 +  NGHTTP2_ERR_FLOODED = -904,
 +  /**
 +   * When a local endpoint receives too many CONTINUATION frames
 +   * following a HEADER frame.
 +   */
 +  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
 } nghttp2_error;
 /**
 Index: nghttp2-1.52.0/lib/nghttp2_helper.c
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_helper.c
 +++ nghttp2-1.52.0/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_c
            "closed";
   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
     return "SETTINGS frame contained more than the maximum allowed entries";
 +  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
 +    return "Too many CONTINUATION frames following a HEADER frame";
   default:
     return "Unknown error code";
   }
 Index: nghttp2-1.52.0/lib/nghttp2_session.c
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_session.c
 +++ nghttp2-1.52.0/lib/nghttp2_session.c
@@ -491,6 +491,7 @@ static int session_new(nghttp2_session *
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
 +  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6838,6 +6839,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2
           }
         }
         session_inbound_frame_reset(session);
 +
 +        session->num_continuations = 0;
       }
       break;
     }
@@ -6959,6 +6962,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
       }
 #endif /* DEBUGBUILD */
 +      if (++session->num_continuations > session->max_continuations) {
 +        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
 +      }
 +
       readlen = inbound_frame_buf_read(iframe, in, last);
       in += readlen;
 Index: nghttp2-1.52.0/lib/nghttp2_session.h
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_session.h
 +++ nghttp2-1.52.0/lib/nghttp2_session.h
@@ -105,6 +105,10 @@ typedef struct {
 /* The default value of maximum number of concurrent streams. */
 #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
 +/* The default max number of CONTINUATION frames following an incoming
 +   HEADER frame. */
 +#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
 +
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
@@ -280,6 +284,12 @@ struct nghttp2_session {
   size_t max_send_header_block_length;
   /* The maximum number of settings accepted per SETTINGS frame. */
   size_t max_settings;
 +  /* The maximum number of CONTINUATION frames following an incoming
 +     HEADER frame. */
 +  size_t max_continuations;
 +  /* The number of CONTINUATION frames following an incoming HEADER
 +     frame.  This variable is reset when END_HEADERS flag is seen. */
 +  size_t num_continuations;
   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
   uint32_t next_stream_id;
   /* The last stream ID this session initiated.  For client session,
--- a/nghttp2-CVE-2024-28182-2.patch
+++ b/nghttp2-CVE-2024-28182-2.patch
@ -1,86 +0,0 @@
 From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sat, 9 Mar 2024 16:48:10 +0900
 Subject: [PATCH] Add nghttp2_option_set_max_continuations
 ---
 doc/Makefile.am                |  1 +
 lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
 lib/nghttp2_option.c           |  5 +++++
 lib/nghttp2_option.h           |  5 +++++
 lib/nghttp2_session.c          |  4 ++++
 5 files changed, 26 insertions(+)
 Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h
 +++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
@@ -3215,6 +3215,17 @@ nghttp2_session_set_stream_user_data(ngh
 /**
  * @function
  *
 + * This function sets the maximum number of CONTINUATION frames
 + * following an incoming HEADER frame.  If more than those frames are
 + * received, the remote endpoint is considered to be misbehaving and
 + * session will be closed.  The default value is 8.
 + */
 +NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
 +                                                         size_t val);
 +
 +/**
 + * @function
 + *
  * Sets |user_data| to |session|, overwriting the existing user data
  * specified in `nghttp2_session_client_new()`, or
  * `nghttp2_session_server_new()`.
 Index: nghttp2-1.52.0/lib/nghttp2_option.c
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_option.c
 +++ nghttp2-1.52.0/lib/nghttp2_option.c
@@ -143,3 +143,8 @@ void nghttp2_option_set_no_rfc9113_leadi
       NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION;
   option->no_rfc9113_leading_and_trailing_ws_validation = val;
 }
 +
 +void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
 +  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
 +  option->max_continuations = val;
 +}
 Index: nghttp2-1.52.0/lib/nghttp2_option.h
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_option.h
 +++ nghttp2-1.52.0/lib/nghttp2_option.h
@@ -70,6 +70,7 @@ typedef enum {
   NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
 +  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
 } nghttp2_option_flag;
 /**
@@ -93,6 +94,10 @@ struct nghttp2_option {
    */
   size_t max_settings;
   /**
 +   * NGHTTP2_OPT_MAX_CONTINUATIONS
 +   */
 +  size_t max_continuations;
 +  /**
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
    */
 Index: nghttp2-1.52.0/lib/nghttp2_session.c
 ===================================================================
 --- nghttp2-1.52.0.orig/lib/nghttp2_session.c
 +++ nghttp2-1.52.0/lib/nghttp2_session.c
@@ -574,6 +574,10 @@ static int session_new(nghttp2_session *
       (*session_ptr)->opt_flags |=
           NGHTTP2_OPTMASK_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION;
     }
 +
 +    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
 +      (*session_ptr)->max_continuations = option->max_continuations;
 +    }
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
--- a/nghttp2.changes
+++ b/nghttp2.changes
@ -1,20 +1,339 @@
 -------------------------------------------------------------------
-Thu Apr  4 12:25:30 UTC 2024 - pgajdos@suse.com
+Tue Nov 12 10:57:02 UTC 2024 - pgajdos@suse.com
- security update
+- version update to 1.64.0
- added patches
+  1.64.0
-  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+  * Change clang-format options by @tatsuhiro-t in #2240
-  + nghttp2-CVE-2024-28182-1.patch
+  * build(deps): bump github.com/quic-go/quic-go from 0.46.0 to 0.47.0 by @dependabot in #2243
-  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+  * build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #2244
-  + nghttp2-CVE-2024-28182-2.patch
+  * nghttp2_map: Port ngtcp2 changes by @tatsuhiro-t in #2245
  * h2load: Fix UDP datagram send/recv metric by @tatsuhiro-t in #2248
  * build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #2252
  * fix race condition on h1 connection close by @TuxInvader in #2249
  * Gha ubuntu 24.04 by @tatsuhiro-t in #2254
  * GHA: Run tests for i686-w64-mingw32 host by @tatsuhiro-t in #2255
  * cmake: Fix c-ares v1.34.0 version detection failure by @tatsuhiro-t in #2256
  * fix: -Wextra-semi errors in nghttp2_helper.h by @codebytere in #2258
  * clang-format macros that do not need semicolon at the end by @tatsuhiro-t in #2259
  * Remove extra semicolons by @tatsuhiro-t in #2260
  * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2261
  * Do not allow '@' in :authority or host field values by @tatsuhiro-t in #2262
  * h2load: GRO buffer size should be 64KiB by @tatsuhiro-t in #2263
  * Bump libbpf to v1.4.6 by @tatsuhiro-t in #2264
  * Update nghttp2_check_authority doc by @tatsuhiro-t in #2265
  1.63.0
  * Bump libbpf to v1.4.2 by @tatsuhiro-t in #2191
  * build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in #2193
  * nghttpx: Fix batch UDP QUIC packet dropped on GRO read by @tatsuhiro-t in #2196
  * CMakeLists.txt: allow to compile the C only lib without CXX compiler by @ThomasDevoogdt in #2200
  * build(deps): bump github.com/quic-go/quic-go from 0.43.1 to 0.44.0 by @dependabot in #2197
  * Fix compiler versions in readme by @ryandesign in #2203
  * build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #2205
  * build(deps): bump github.com/quic-go/quic-go from 0.44.0 to 0.45.0 by @dependabot in #2206
  * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2207
  * build(deps): bump docker/build-push-action from 5 to 6 by @dependabot in #2208
  * Add wolfSSL support by @tatsuhiro-t in #2209
  * Append --shallow-submodules to git clone --recursive by @tatsuhiro-t in #2210
  * Always append options to extra options by @tatsuhiro-t in #2211
  * build(deps): bump github.com/quic-go/quic-go from 0.45.0 to 0.45.1 by @dependabot in #2213
  * Disable dependency tracking by @tatsuhiro-t in #2214
  * Fix Dockerfile.android build failure by @tatsuhiro-t in #2215
  * Fix UDP_GRO struct cmsghdr data type by @tatsuhiro-t in #2216
  * GHA: Suppress warnings by @tatsuhiro-t in #2217
  * Fix levenshtein initialization by @tatsuhiro-t in #2218
  * build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #2220
  * Undefine NGHTTP2_NO_SSIZE_T if BUILDING_NGHTTP2 is defined by @tatsuhiro-t in #2224
  * Bump clang format by @tatsuhiro-t in #2226
  * Suppress old compiler error by @tatsuhiro-t in #2228
  * build(deps): bump github.com/quic-go/quic-go from 0.45.1 to 0.45.2 by @dependabot in #2229
  * build(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #2231
  * build(deps): bump github.com/quic-go/quic-go from 0.45.2 to 0.46.0 by @dependabot in #2232
  * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2236
  * Bump libbpf to v1.4.5 by @tatsuhiro-t in #2237
  * Update go by @tatsuhiro-t in #2238
  * levenshtein: Use size_t by @tatsuhiro-t in #2239
 -------------------------------------------------------------------
-Tue Sep 26 13:58:42 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
+Mon Jun 17 18:02:25 UTC 2024 - Dirk Müller <dmueller@suse.com>
- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
+- update to 1.62.1:
-  sent, and nghttp2_on_stream_close_callback fails with a fatal error.
+  * nghttpx: Fix batch UDP QUIC packet dropped on GRO read
-  [CVE-2023-35945 bsc#1215713]
+- update to 1.62.0:
-  + nghttp2-CVE-2023-35945.patch
+  * nghttpx: Fix QUIC stateless reset stack buffer overflow
  * Require c-ares >= 1.16.0 for ares_getaddrinfo
  * Require C++20 compiler
  * Adopt std::to_array and remove make_array
  * nghttpx: Define APIEndpoints separately
  * nghttpx: Do not send error/status body when method is HEAD
  * nghttpx: Fix alignment issues in BlockAllocator
  * nghttpx: Simplify parameter declaration for ipc_fd functions
  * nghttpx: Add extent to ipc_fd explicitly
  * Make make_byte_ref return std::span
  * Make util::decode_hex return std::span
  * Rewrite util::parse_uint
  * Let base64::decode return std::span
  * Refactor StringRef
  * Stringref refactor c str and str
  * Add StringRef literal operator and remove StringRef::from_lit
  * Make StringRef(const std::string&) implicit
  * Add http2::make_field family functions
  * Remove std::string conversion operator from StringRef
  * Optimize StringRef comparisons against c-string
  * Pack more quic pkt
  * nghttpx: Dynamic GSO failover
  * Refactor ImmutableString
  * nghttpx: Refactor QUIC data path
  * nghttpx: Fix inherited TCP port comparison
  * make_websocket_accept_token: Lesser conversions
  * Add http3::make_field family functions
  * Remove unnecessary namespace qualifications
  * Refactor http utils
  * Refactor streq
  * Remove util::streq and let StringRef operator== deal with it
  * Update the link for the Prefix.pdf document. fix #2178
  * Introduce typed nghttp2_min and nghttp2_max
 - drop gcc7.patch (obsolete, we require C++20 now)
 -------------------------------------------------------------------
 Thu Apr  4 09:47:27 UTC 2024 - pgajdos@suse.com
 - version update to 1.61.0
  * Fixes CVE-2024-28182 [bsc#1221399]
  * nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087
  * Checkout with submodules by @jonaski in #2093
  * Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092
  * build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097
  * Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098
  * docker: Use copy --link by @tatsuhiro-t in #2099
  * Nghttpx header idle timeout by @tatsuhiro-t in #2100
  * nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101
  * Rewrite hexdump by @tatsuhiro-t in #2102
  * Switch to distroless/base-nossl by @tatsuhiro-t in #2103
  * Bump ngtcp2 by @tatsuhiro-t in #2105
  * nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106
  * build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107
  * autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108
  * Automate release process by @tatsuhiro-t in #2109
  * autotools: Switch to tar-pax by @tatsuhiro-t in #2110
  * nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111
  * nghttpx: Fix port byte order by @tatsuhiro-t in #2112
  * h2load: Allow host header to be overridden by @tatsuhiro-t in #2113
  * nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114
  * nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115
  * Add actions/stale by @tatsuhiro-t in #2116
  * nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117
  * nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119
  * No rfc7540 priority fix by @tatsuhiro-t in #2120
  * Further reduce Stateless reset emission by @tatsuhiro-t in #2122
  * nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124
  * Nghttpx faster worker lookup by @tatsuhiro-t in #2125
  * nghttpx: Split thread into worker_process and thread by @tatsuhiro-t in #2126
  * bpf: Drop bad QUIC packet by @tatsuhiro-t in #2127
  * cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON by @jimmy-park in #2128
  * nghttpx: Allocate 3 bits for QUIC configuration in Connection ID by @tatsuhiro-t in #2129
  * nghttpx: Migrate to ares_getaddrinfo by @tatsuhiro-t in #2132
  * Bump munit by @tatsuhiro-t in #2131
  * nghttpx: Fix error message by @tatsuhiro-t in #2133
  * nghttpd: Fix read stall by @tatsuhiro-t in #2134
 -------------------------------------------------------------------
 Wed Apr  3 10:31:13 UTC 2024 - Adam Majer <adam.majer@suse.de>
 - gcc7.patch: Fix compilation for SLE-15 (jsc#PED-8206)
 -------------------------------------------------------------------
 Mon Mar 18 12:59:00 UTC 2024 - Martin Pluskal <mpluskal@suse.com>
 - Update keyring with current key
 -------------------------------------------------------------------
 Mon Mar 18 08:35:17 UTC 2024 - pgajdos@suse.com
 - version update to 1.60.0
  * makerelease.sh: Speed up git submodule
  * Speed up git clone
  * build(deps): bump actions/cache from 3 to 4
  * Fixing the build and install trees
  * build(deps): bump microsoft/setup-msbuild from 1 to 2
  * nghttpx: Set ocsp response to SSL in case of boringssl
  * Run with python3
  * src: Certificate Compression with boringssl
  * Fix missing newline
  * Switch to aws lc
  * Libbrotli fixup
  * Deprecate RFC 7540 priorities (aka stream dependencies)
  * Let dependabot manage go modules
  * build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
  * integration-tests: Omit unused parameters
  * Munit
  * Introduce nghttp2_ssize API
  * Move deprecated warning upfront
  * Describe RFC 7540 priorities deprecation plan
  * Apps migrate nghttp2 ssize
  * src: Remove unused functions
  * Reconsider ssize t usage in src
  * Use GitHub private vulnerability reporting
  * Move security policy to GitHub standard location
  * Bump mruby to 3.3.0
  * Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663
  * h2load: Add --sni option
  * Bump ngtcp2 dependencies
  * mruby: Adopt deprecation of mrbc_ prefix
  * neverbleed: Define _GNU_SOURCE for pthread_setaffinity_np
  * bpf: Pre-expand aes key
  * mruby: Exclude mrdb gem which causes nghttpx to crash
  * nghttpx: Reuse EVP_CIPHER_CTX for QUIC connection ID encryption
  * Run apt-get update before install
  * src: Deal with the case that send_quantum < max_udp_payload_size
  * nghttpx: Remove SHRPX_QUIC_MAX_UDP_PAYLOAD_SIZE
  * Fix build when AI_NUMERICSERV is undefined
 - remove dependency on /usr/bin/python3 using
  %python3_fix_shebang_path macro, [bsc#1212476]
 -------------------------------------------------------------------
 Sun Jan 28 17:01:52 UTC 2024 - Dirk Müller <dmueller@suse.com>
 - update to 1.59.0:
  * Update bash_completion
  * h2load: Fix bug that ttfb is not recorded if h3 stream
    has no data
  * h2load: Consider all h2 HEADERS when counting bytes and
    recording ttfb
  * h2load: Ignore 1xx status code
  * nghttpd: Free SSL_CTX on exit
  * nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
  * nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
  * cmake: Require OpenSSL >= 1.1.1
  * Add nghttp2_select_alpn and deprecate
    nghttp2_select_next_protocol
  * nghttpx: Add --alpn-list and deprecate --npn-list
  * h2load: Add --alpn-list and deprecate --npn-list
  * Remove NPN
  * src: Support building with aws-lc
  * Avoid detecting OpenSSL 3.2 as quictls
  * Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0
  * h2load: Fix IPv6 address in :authority
  * h2load: Fix IPv6 address in :authority
  * nghttpx: Propagate stream priority from backend to
    frontend
  * nghttpx: Propagate stream priority from backend to
    frontend
  * Merge pull request #1991 from nghttp2/get-and-parse-
    extpri
  * Add API to get and parse RFC 9218 priority
  * nghttpx: Prefer __FILE_NAME__ if defined
 -------------------------------------------------------------------
 Sat Nov 25 22:23:00 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - update to 1.58.0:
  * Update manual pages
  * Bump neverbleed
  * Bump ngtcp2
  * Prefer clock_gettime if __CYGWIN__ defined
  * Do not require strict c++ mode
  * nghttpx: Stricter transfer-encoding checks
  * Refactor character comparison
  * Integration servertester h3
  * integration: Enable http3 test with cmake
 -------------------------------------------------------------------
 Tue Nov 21 11:53:04 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - fix unversioned provides to be in sync with nghttp3
 -------------------------------------------------------------------
 Tue Nov  7 12:54:09 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - add keyring for gpg validation
 - spec file cleanups
 -------------------------------------------------------------------
 Mon Oct 16 10:24:50 UTC 2023 - pgajdos@suse.com
 - version update to 1.57.0 [bsc#1216174]
  1.57.0
  * Fixes CVE-2023-44487 (bsc#1216123)
  * Bump ngtcp2 by @tatsuhiro-t in #1944
  * Add dependabot to update actions by @tatsuhiro-t in #1946
  * Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950
  * Bump actions/setup-go from 3 to 4 by @dependabot in #1948
  * Bump actions/checkout from 3 to 4 by @dependabot in #1949
  * Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947
  * docker: Bump base image to debian 12 by @tatsuhiro-t in #1951
  * nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953
  * Bump quictls by @tatsuhiro-t in #1945
  * Apps fix by @tatsuhiro-t in #1957
  * nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958
  * Fix clang-format by @tatsuhiro-t in #1959
  * Rework session management by @tatsuhiro-t in #1961
  1.56.0
  * doc: Bump boringssl by @tatsuhiro-t in #1928
  * Fix memory leak by @tatsuhiro-t in #1930
  * Return void by @tatsuhiro-t in #1931
  * nghttpx: Rework sending and receiving ECN bits by @tatsuhiro-t in #1934
  * CMSG_DATA does not necessarily return an aligned pointer by @tatsuhiro-t in #1935
  * Bump quictls by @tatsuhiro-t in #1937
  * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #1939
  * nghttpx: Simplify std::unique_ptr get and release by @tatsuhiro-t in #1940
  * Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by @tatsuhiro-t in #1941
  * Bump libbpf to v1.2.2 by @tatsuhiro-t in #1942
  * Update Dockerfile by @tatsuhiro-t in #1943
 -------------------------------------------------------------------
 Sat Jul 15 15:11:52 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - update to 1.55.1:
  * Fix memory leak (bsc#1215713)
    This commit fixes memory leak that happens when
    PUSH_PROMISE or HEADERS frame cannot be sent, and
    nghttp2_on_stream_close_callback fails with a fatal error.
    For example, if GOAWAY frame has been received, a
    HEADERS frame that opens new stream cannot be sent.
    This issue has already been made public via CVE-2023-35945
    by envoyproxy/envoy project.  During embargo period, the
    patch to fix this bug was accidentally submitted to
    nghttp2/nghttp2 repository [2]. And they decided to
    disclose CVE early.  I was notified just 1.5 hours
    before disclosure.  I had no time to respond.
    PoC described in [1] is quite simple, but I think it is
    not enough to trigger this bug.  While it is true that
    receiving GOAWAY prevents a client from opening new stream,
    and nghttp2 enters error handling branch, in order to cause
    the memory leak, nghttp2_session_close_stream function
    must return a fatal error.
    NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
    memory.  It is unlikely that a process gets short of
    memory with this simple PoC scenario unless application
    does something memory heavy processing.
  * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
    defined callback function (nghttp2_on_stream_close_callback, in
    this case), which indicates something fatal happened inside a
    callback, and a connection must be closed immediately without
    any further action.  As nghttp2_on_stream_close_error_callback
    documentation says, any error code other than 0 or
    NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
    error code.  More specifically, it is treated as if
    NGHTTP2_ERR_CALLBACK_FAILURE is returned.  I guess that
    envoy returns
    NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is
    translated into NGHTTP2_ERR_CALLBACK_FAILURE.
    https://github.com/envoyproxy/envoy/security/advisories/GHSA-
    jfxv-29pc-x22r
 -------------------------------------------------------------------
 Tue Jun 20 20:48:11 UTC 2023 - Dirk Müller <dmueller@suse.com>
 - update to 1.54.0:
  * nghttpx: Consistent error handling and use of high-level API
  * h2load: Fix http3 upload stall
  * h2load: Use std::chrono::steady_clock for quic timestamp
 -------------------------------------------------------------------
 Thu May 18 04:53:42 UTC 2023 - Martin Pluskal <mpluskal@suse.com>
 - Update to version 1.53.0:
  * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
 -------------------------------------------------------------------
 Tue Mar 14 09:33:48 UTC 2023 - Dirk Müller <dmueller@suse.com>
@ -141,7 +460,7 @@ Wed Jan  6 12:22:21 UTC 2021 - Dirk Müller <dmueller@suse.com>
 Wed Jun  3 11:45:25 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
 - Update to 1.41.0
-  * Fix CVE-2020-11080
+  * Fix CVE-2020-11080 (bsc#1181358)
  * lib: Implement max settings option (Patch from James M Snell)
  * lib: Earlier check for settings flood (Patch from James M Snell)
  * lib: Fix receiving stream data stall (GH-1444)
@ -155,7 +474,8 @@ Wed Jun  3 11:45:25 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
 -------------------------------------------------------------------
 Tue Jan 14 18:01:52 UTC 2020 - Michał Rostecki <mrostecki@opensuse.org>
- Update to version 1.40.0
+- Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
  cilium-proxy (bsc#1166481)
  * lib: Add nghttp2_check_authority as public API
  * lib: Fix the bug that stream is closed with wrong error code
  * lib: Faster huffman encoding and decoding
--- a/nghttp2.keyring
+++ b/nghttp2.keyring
@ -0,0 +1,64 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQGiBEmgJCARBACDsyRcJt0cPqS5I3nooSD4ETmsqXSGoA1QP0NcD3mMDIxfwOk3
 ZgaLAhQTpylqzYu4uQ5lDcvkpZtN8cA+R+9Bxq1VcY5Jra4t93Eyxd/14oufgg8w
 GLZ8q2otuUliL+RWPEuuBLNJFrdHeLfITBX88ZyHz8tu0kpWBBVBLb5yYwCg3OmH
 L59aPl0TIoKGIL/xYs80ixcD/3PA9z6SbChDHRKA647Smrw6QuQHl7Uubg6LYYxz
 FoxeN3F/grZHNJyUzlkdraIcWWYi1Dr0D28TnuQUbPoj7ju248iPRv2ZEr7OpV9j
 RksxJIBqzC698XwPuq2Jo8iBNgE2t25aY9UHXxehqg6zkyR1bdhFzDV1cEKGkU62
 TAnvA/9tB77GiQ9H02oybfqYrdxrWCou3kRa7owd/tBqRMkzH4Vt86VIXwVdsMn1
 sGeF4YGUqwY7GCT+jviFCdvGTRqeCJgaLJAYE8hSFIxpDTdUNxaPxwuOd3Jq5BKC
 U7boXpLlAcdh47CMk4qvIDZfBb2iVjZCN1yFI9R/TCH7JCT9NLQrVGF0c3VoaXJv
 IFRzdWppa2F3YSA8dGF0c3VoaXJvLnRAZ21haWwuY29tPohgBBMRAgAgBQJJoCQg
 AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQfoQD1dZzw2YoTgCgmzKU0uK/
 fr2nVqYondsxppQS83wAoIPlXaxcUV39DvA7/Rui6+rBNljmuQQNBEmgJCAQEADi
 J5vXLb+y5g2kQApYk/iPqlJV02jHX7VJnWwivfQNq0F56TiiAZx9B6QR71pShkv8
 L4FgdmuNPcxamh4LAiVsiE3lW5dnlt6cp5bmWvNOTDZIojbxSfS4ZhQmt3Ij4vJ5
 fnlgUeaLDzXqeuO5ezMZvpsoBcDMvPCnv8R28JX0z1LIjA42sC85Kvd8EeB7uyGJ
 q0qzU7OMP6JdxN2IwvdGiqXAAHI2KZOU9Pp4Kvg4qj8v3ELXrhlrZVye6PAmbufJ
 Gdcg73EEabhoWutzt1h++qUkhzSQRUoTIqa2DWyE/bTPGlxqKgHmur5okBn5iwcr
 BijhE6d8AvBqlopxyHHIEsZ4YswvLR8VcOt//aT1ArYdrxAfyjujvimoW1+gDjsA
 +Hc1wlrYW6uLgHwFIzQFOi4Yt/+hw26dlqJhO9pnK8vwpPsMnvkfHQx5A7EeZhpN
 g1YIDhPEO+RSk81Gs0Y1xzJjLulncxlzprX6xmyZK/B2dQZy4XFl5K02Q7Zas++x
 z70JvwOC8kDu117jb3QtersJHt09SGywCrkaU6P8+iKxPd2PEwaPWKqu4n7IpLZu
 2Kg5GXO1h80fqhPSRJGbj5a6YVvfVHoRPaUL34Y4yYPxPVxjpgYR6ohhhoyURA4w
 +qkhugcbYM9/wQTbwhgLc5mG62bq+WVkhehaGFOCwwADBRAAkzofRfa6dNtZC8kp
 4bTmTydRCRrAAjUvCtRNL+PjB6JpTsIru/w6dR2i3TYDnUOBNkvVLUNG+Sk6fsR2
 CcEefsa4AQwRb8G33FATsewFbImSrBNT9R5hr+hR33XWxo0KAcXrucnaboidQOBK
 lDD0SEC6eBexVXa4/h9qum4Qmj0u9XBBqMqEOJY/Mao5SJ8EWZV+UAszgJdmHDvq
 s9+1425NuzuG9/KQzx/5wWjQmtAHikE/oFQ1RZ3hWxRpe4YmsrKQuVqwHRfIjCrB
 MdBteldVr4NN0eUqfnrXgTpInXSsUstDr1/04u2Q3+spQUjJOcZ+IluPLfr12EAH
 UKc9/2CT6cLmBVEl2s2PijC5EoxH3UA2KkxcxBy5LleKvF5FZ3MHbXaj2RLMLBlW
 aGhlFF2H85EEmq73Ex5ncLPT4BW2rHrkwdUOOXCN8riUZr42E3K+GTyfGyRbU9Ar
 MBP62ytvamwBO9O+E6sJCVraoho4a2ERORh5PQzEot1Tmyf4u6AQf1+JVMn2yThc
 ilRKWD1Q/AfEAibVbPANkXXjX5pZkIRc1Eunq5afYf2ixyS96RSjc6EZ+euaaaFC
 96+MdDtlycafZIXYNgiNkrrm8mzPCb2i8tmF9aPnGYBknsnFLlda3Zz4afFDKyLN
 LYRvqAujonL+HBOLW2InmeD5p6SISQQYEQIACQUCSaAkIAIbDAAKCRB+hAPV1nPD
 ZqpZAJ9Kw73IdA3hw+wQEen991bFlMzHfQCgtG/GMjXB246Qt9XPVvToTSFJQPq5
 Ag0EZdRdtAEQAMIqEK6XuVLgY6KPOUqHFjQZdi87hCX9sTSHVuvQ75Ko70Ayz/AH
 I7YWnPoaJjWQwCugGOdEjXKQMUUKuGUrWAtGoGUg9MDFXdAXRrwBhhKz8ZGJzGPU
 YXkanJSHo3AAFQ4QWSJmGvlZ2VhthB5v/njUlpzFvNusa5e71RRLM5f5R3kROUlj
 vwAXUcosLESi864AKFzo1qiQB6KtatTLJH8aHQEFrVwzrleKdkF5OozfWw1poB4g
 94QBkIzXgmEA3uTpXHLctIngpR8mZrQQtohI2zKlpnq9lCMZ7j3/xitZ6xS2KSlH
 BU3Z4TXZKZuFP7IsITVTdlMg/OHua2l0i3ZewbIWPnnPJC8dQi+QdYe6FWjDwZPu
 HBAbbxHVFCYnz5f4SP9LNqeWRGqHHnzb5pNe2xZHykPP84kvFvmRonqMBIvFrPhV
 kw+Z43JBvxM4YwYp0GWEuDAik6KmbuM5SmwAiR67KigwwUoumJi9YdQlUIkNKO7P
 SvmHCzaX47+AdLxDToMXCsIO2NlLGE5GN/RwQ8k0owWoK5WZYUI16pgZ39n/Z03y
 Ig+W//qUJ7+eYTgvvCngR3kxUXipSVA0+skxWvdmRHla5MasuvtPuW/Xz6/+U3fS
 4bmYTWA5TmhfrMublTncBXgEvX9LzyL+kPhf81OAix3RNUlD6Jp5+751ABEBAAGJ
 ApYEGBECACAWIQT087kUdNHrKYib0O9+hAPV1nPDZgUCZdRdtAIbAgJACRB+hAPV
 1nPDZsF0IAQZAQoAHRYhBFFrYikY0VxHirHqOlM5or6C4H3sBQJl1F20AAoJEFM5
 or6C4H3sBa8QALx76ibbGN3vz9+Aa58gtk1oDIIfEF/U7PmMuPB9CA9738kgiXvq
 nxKAkiBU9EkaiYsPfF/iv35xp44CrFz/mjqMQiMlWOxMtRVXjsQQoGKmkdei4THk
 3pVE4u6bXXb38LUnXyYVV9P0XLNV/ilwvRlnozP4NqrjH7MuKLKLUoKNHMD6UK2/
 UWUqHQPboFYTIb826+S8PiGQ/3PO7+Y+h0Jyq2o5c76N2PvMgtkQwvTTw6hPP8p1
 EIffN1wUpZ5dG+Cxe9oN2FF6Lq89WCK1M7n3DU4JZqjKIcmxJKPPmjQjdVUUhyXQ
 4naywi+h30esJ/CbrQ0oyDnr0jbiTg04c6IV5U5deVDywJ9gAAgV0g12NDwo2SCb
 ZeLGul8/tZXpXiTYJdTQ0N3EUZYPbOvY8Kdh95stq9HtKJyozP/yemFBfiTtK0Kt
 QISQHf0GNJR+D682S0iB3nSprzXpgwgjaHYLQXYdUomg7lMGrtf3XZQlUaHYLHp6
 W0xhOweS/2kr5G461zSyJ3T9ITm59GapunXfuSGqA2mJvv9CXJqN8Qm6UzUD8QBk
 JxiUC6IMVAoBShSPD9qC0jBxXETKNHC4zPoF0wfOVYjKJ29btfOjneL0IdLNR/6c
 WcszscQx9Rm+vWArbDdcATTnImO1hIehxeQPp/8IRPpxHjD64GoNSbzyZkwAn0n6
 KhOXkidphC12e/W/W3vSRrm5AKC2S6Ile4sLQr7aDSQZLvJz54gxYw==
 =Rw9e
 -----END PGP PUBLIC KEY BLOCK-----
--- a/nghttp2.spec
+++ b/nghttp2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package nghttp2
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,31 +18,25 @@
 %global soname  libnghttp2
 %global sover   14
 %global soname_asio libnghttp2_asio
 %global sover_asio 1
 %global flavor @BUILD_FLAVOR@%{nil}
 # libnghttp2_asio has been deprecated in this repository due to maintenance
 # issue and will be removed at the end of 2022
 %bcond_with asio
 Name:           nghttp2
-Version:        1.52.0
+Version:        1.64.0
 Release:        0
 Summary:        Implementation of Hypertext Transfer Protocol version 2 in C
 License:        MIT
 Group:          Development/Libraries/C and C++
 URL:            https://nghttp2.org/
-Source:         https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
+Source0:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
-Source1:        baselibs.conf
+Source1:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz.asc
-# CVE-2023-35945 [bsc#1215713], Fixes leak memory
+Source2:        nghttp2.keyring
-Patch0:         nghttp2-CVE-2023-35945.patch
+Source3:        baselibs.conf
-# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+%if 0%{?suse_version} && 0%{?suse_version} == 1500
-Patch1:         nghttp2-CVE-2024-28182-1.patch
+BuildRequires:  gcc13-c++
-# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+%else
 Patch2:         nghttp2-CVE-2024-28182-2.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gcc-c++
-BuildRequires:  libtool
+%endif
 BuildRequires:  libboost_system-devel
 BuildRequires:  libboost_thread-devel
 BuildRequires:  pkgconfig
 BuildRequires:  python-rpm-macros
 BuildRequires:  pkgconfig(cunit)
@ -52,19 +46,11 @@ BuildRequires:  pkgconfig(libev)
 BuildRequires:  pkgconfig(liblzma)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(libxml-2.0)
-BuildRequires:  pkgconfig(openssl)
+BuildRequires:  pkgconfig(openssl) >= 1.1.1
 BuildRequires:  pkgconfig(zlib)
 %ifnarch ppc %{arm}
 %if 0%{?sle_version} >= 150000 && 0%{?is_opensuse}
 BuildRequires:  pkgconfig(jemalloc)
 %endif
 %endif
 %if 0%{?suse_version} > 1325
 BuildRequires:  libboost_system-devel
 BuildRequires:  libboost_thread-devel
 %else
 BuildRequires:  boost-devel
 %endif
 %description
 This is an implementation of Hypertext Transfer Protocol version 2.
@ -83,14 +69,6 @@ Group:          System/Libraries
 Shared C libraries for implementation of Hypertext Transfer Protocol
 version 2.
 %package -n %{soname_asio}%{sover_asio}
 Summary:        Shared library for nghttp2
 Group:          System/Libraries
 %description -n %{soname_asio}%{sover_asio}
 Shared libraries for asynchronous implementation of Hypertext Transfer
 Protocol version 2.
 %package -n python3-nghttp2
 Summary:        Python3 bindings for nghttp2
 Group:          Development/Libraries/Python
@ -103,21 +81,12 @@ Python bindings for implementation of Hypertext Transfer Protocol version
 Summary:        Development files for nghttp2
 Group:          Development/Languages/C and C++
 Requires:       %{soname}-%{sover} = %{version}
-Provides:       %{name}-devel
+Provides:       %{name}-devel = %{version}
 %description -n %{soname}-devel
 Development files for usage with libnghttp2, which implements
 Hypertext Transfer Protocol version 2.
 %package -n %{soname_asio}-devel
 Summary:        Development files for nghttp2
 Group:          Development/Languages/C and C++
 Requires:       %{soname_asio}%{sover_asio} = %{version}
 %description -n %{soname_asio}-devel
 Development files for usage with libnghttp2_aio, which implements
 asynchronous Hypertext Transfer Protocol version 2.
 %package doc
 Summary:        Documentation for nghttp2
 Group:          Documentation/HTML
@ -129,15 +98,14 @@ HTTP/2 client, server and proxy.
 %prep
 %autosetup -p1 -n nghttp2-%{version}
 # fix python shebang
 sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response
 %build
-autoreconf -fiv
+%if 0%{?suse_version} && 0%{?suse_version} == 1500
 export CC=/usr/bin/gcc-13
 export CXX=/usr/bin/g++-13
 %endif
 %configure \
  --disable-static        \
  --disable-silent-rules  \
  %{?with_asio:--enable-asio-lib} %{!?with_asio: --disable-asio-lib} \
  --enable-app            \
  %{nil}
 %make_build all
@ -146,24 +114,25 @@ autoreconf -fiv
 %make_install
 find %{buildroot} -type f -name "*.la" -delete -print
-# Do not ship theis
+
 # Do not ship this
 rm -rf %{buildroot}%{_datadir}/doc/nghttp2
 # None of applications using these man pages are built.
 rm -rf %{buildroot}%{_mandir}/man1/* \
  doc/manual/html/.buildinfo
-%check
+# https://build.opensuse.org/request/show/1212476
-# One test fails if python-sphinx is not present
+%if %{suse_version} >= 1600
-%make_build check ||:
+%python3_fix_shebang_path %{buildroot}%{_datadir}/%{name}/fetch-ocsp-response
 %post -n %{soname}-%{sover} -p /sbin/ldconfig
 %postun -n %{soname}-%{sover} -p /sbin/ldconfig
 %if %{with asio}
 %post -n %{soname_asio}%{sover_asio} -p /sbin/ldconfig
 %postun -n %{soname_asio}%{sover_asio} -p /sbin/ldconfig
 %endif
 %check
 %make_build check
 %ldconfig_scriptlets -n %{soname}-%{sover}
 %files
 %{_bindir}/deflatehd
 %{_bindir}/inflatehd
@ -183,16 +152,4 @@ rm -rf %{buildroot}%{_mandir}/man1/* \
 %{_libdir}/%{soname}.so
 %{_libdir}/pkgconfig/%{soname}.pc
 %if %{with asio}
 %files -n %{soname_asio}%{sover_asio}
 %license COPYING
 %{_libdir}/%{soname_asio}.so.%{sover_asio}*
 %files -n %{soname_asio}-devel
 %dir %{_includedir}/%{name}/
 %{_includedir}/%{name}/asio_http2*.h
 %{_libdir}/%{soname_asio}.so
 %{_libdir}/pkgconfig/%{soname_asio}.pc
 %endif
 %changelog
`@ -1,2 +1 @@`
	`libnghttp2-14`	`libnghttp2-14`
	`libnghttp2_asio1`