- Update to 1.68.0:
* Increase glitch counter for unexpected builtin extension frames
* Remove session_update_glitch_ratelim called from deep inside the chain
* nghttpd: Make the supported groups configurable
* Use SSL_CTX_set1_groups_list
* nghttpx: Add groups option
* nghttpx: Prefer ML-DSA certificate over ECDSA
* nghttpx: Select ECDSA cert based on EVP_PKEY_base_id
* nghttpx: Select certificate with BoringSSL
* nghttpx: Select certificate with wolfSSL
* nghttpx: Add the fast path when selecting a certificate
* nghttpx: Select a certificate in a single pass
* nghttpx: Support ML-DSA certificate selection with wolfSSL
* nghttpx: Make servername_callback behavior consistent
* nghttpx: Drop TLSv1.0 and TLSv1.1 support
* nghttpx: Define NGHTTP2_CERT_TYPE as constexpr
* src: Move sgi _daemonize to util::daemonize
* examples: Consistent conditional macro comments
* Bump ngtcp2 and its dependencies
* src: Adopt nghttp3_conn_read_stream2
* src: Use std::ranges::begin and std::ranges::end consistently
* h2load: Set QUIC window-bits to 24 by default
* Fix typos in documentation: "or3xx" → "or 3xx" and missing space after period
* nghttpx: Increase number of UDP packets to read
* Optimize quic io
* nghttpx: Remove unused ticket_keys from WorkerEvent
* Bump ngtcp2 and its dependencies
- Update to 1.67.1:
* Remove session_update_glitch_ratelim called from deep inside the chain
OBS-URL: https://build.opensuse.org/request/show/1313833
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=131
- version update to 1.64.0
1.64.0
* Change clang-format options by @tatsuhiro-t in #2240
* build(deps): bump github.com/quic-go/quic-go from 0.46.0 to 0.47.0 by @dependabot in #2243
* build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #2244
* nghttp2_map: Port ngtcp2 changes by @tatsuhiro-t in #2245
* h2load: Fix UDP datagram send/recv metric by @tatsuhiro-t in #2248
* build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #2252
* fix race condition on h1 connection close by @TuxInvader in #2249
* Gha ubuntu 24.04 by @tatsuhiro-t in #2254
* GHA: Run tests for i686-w64-mingw32 host by @tatsuhiro-t in #2255
* cmake: Fix c-ares v1.34.0 version detection failure by @tatsuhiro-t in #2256
* fix: -Wextra-semi errors in nghttp2_helper.h by @codebytere in #2258
* clang-format macros that do not need semicolon at the end by @tatsuhiro-t in #2259
* Remove extra semicolons by @tatsuhiro-t in #2260
* Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2261
* Do not allow '@' in :authority or host field values by @tatsuhiro-t in #2262
* h2load: GRO buffer size should be 64KiB by @tatsuhiro-t in #2263
* Bump libbpf to v1.4.6 by @tatsuhiro-t in #2264
* Update nghttp2_check_authority doc by @tatsuhiro-t in #2265
1.63.0
* Bump libbpf to v1.4.2 by @tatsuhiro-t in #2191
* build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in #2193
* nghttpx: Fix batch UDP QUIC packet dropped on GRO read by @tatsuhiro-t in #2196
* CMakeLists.txt: allow to compile the C only lib without CXX compiler by @ThomasDevoogdt in #2200
* build(deps): bump github.com/quic-go/quic-go from 0.43.1 to 0.44.0 by @dependabot in #2197
* Fix compiler versions in readme by @ryandesign in #2203
* build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #2205
* build(deps): bump github.com/quic-go/quic-go from 0.44.0 to 0.45.0 by @dependabot in #2206
* Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2207
OBS-URL: https://build.opensuse.org/request/show/1223641
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=125
- version update to 1.61.0
* Fixes CVE-2024-28182 [bsc#1221399]
* nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087
* Checkout with submodules by @jonaski in #2093
* Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092
* build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097
* Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098
* docker: Use copy --link by @tatsuhiro-t in #2099
* Nghttpx header idle timeout by @tatsuhiro-t in #2100
* nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101
* Rewrite hexdump by @tatsuhiro-t in #2102
* Switch to distroless/base-nossl by @tatsuhiro-t in #2103
* Bump ngtcp2 by @tatsuhiro-t in #2105
* nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106
* build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107
* autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108
* Automate release process by @tatsuhiro-t in #2109
* autotools: Switch to tar-pax by @tatsuhiro-t in #2110
* nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111
* nghttpx: Fix port byte order by @tatsuhiro-t in #2112
* h2load: Allow host header to be overridden by @tatsuhiro-t in #2113
* nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114
* nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115
* Add actions/stale by @tatsuhiro-t in #2116
* nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117
* nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119
* No rfc7540 priority fix by @tatsuhiro-t in #2120
* Further reduce Stateless reset emission by @tatsuhiro-t in #2122
* nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124
* Nghttpx faster worker lookup by @tatsuhiro-t in #2125
OBS-URL: https://build.opensuse.org/request/show/1164552
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=123
- Update keyring with current key
- version update to 1.60.0
* makerelease.sh: Speed up git submodule
* Speed up git clone
* build(deps): bump actions/cache from 3 to 4
* Fixing the build and install trees
* build(deps): bump microsoft/setup-msbuild from 1 to 2
* nghttpx: Set ocsp response to SSL in case of boringssl
* Run with python3
* src: Certificate Compression with boringssl
* Fix missing newline
* Switch to aws lc
* Libbrotli fixup
* Deprecate RFC 7540 priorities (aka stream dependencies)
* Let dependabot manage go modules
* build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
* integration-tests: Omit unused parameters
* Munit
* Introduce nghttp2_ssize API
* Move deprecated warning upfront
* Describe RFC 7540 priorities deprecation plan
* Apps migrate nghttp2 ssize
* src: Remove unused functions
* Reconsider ssize t usage in src
* Use GitHub private vulnerability reporting
* Move security policy to GitHub standard location
* Bump mruby to 3.3.0
* Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663
* h2load: Add --sni option
OBS-URL: https://build.opensuse.org/request/show/1159004
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=80
- update to 1.59.0:
* Update bash_completion
* h2load: Fix bug that ttfb is not recorded if h3 stream
has no data
* h2load: Consider all h2 HEADERS when counting bytes and
recording ttfb
* h2load: Ignore 1xx status code
* nghttpd: Free SSL_CTX on exit
* nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
* nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
* cmake: Require OpenSSL >= 1.1.1
* Add nghttp2_select_alpn and deprecate
nghttp2_select_next_protocol
* nghttpx: Add --alpn-list and deprecate --npn-list
* h2load: Add --alpn-list and deprecate --npn-list
* Remove NPN
* src: Support building with aws-lc
* Avoid detecting OpenSSL 3.2 as quictls
* Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0
* h2load: Fix IPv6 address in :authority
* h2load: Fix IPv6 address in :authority
* nghttpx: Propagate stream priority from backend to
frontend
* nghttpx: Propagate stream priority from backend to
frontend
* Merge pull request #1991 from nghttp2/get-and-parse-
extpri
* Add API to get and parse RFC 9218 priority
* nghttpx: Prefer __FILE_NAME__ if defined
OBS-URL: https://build.opensuse.org/request/show/1142108
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=119
- add keyring for gpg validation
- spec file cleanups
For example, if GOAWAY frame has been received, a
* https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
checking leading and trailing white spaces against HTTP field value.
* https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
* third-party: Bump neverbleed based on the latest head (GH-1708)
* see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
* see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
* nghttpx: Fix logging integer
- Conditionally remove dependecy on jemalloc for SLE-12
if table size is changed from default
* Add nghttp2_option_set_max_send_header_block_length API
* Fix warning: declaration of 'free' shadows a global declaration
* nghttpx: Add healthmon parameter to -f option to enable health
* nghttpx: Add --api-max-request-body option to set maximum API
* nghttpx: Add api parameter to --frontend option to mark API
* h2load: Add content-length header field for HTTP/2 and SPDY as
* Run error callback when peer does not send initial SETTINGS
* nghttpx: Fix bug that server push from mruby script did not
* nghttpx: Try next HTTP/1 backend address when connection
* nghttpx: Retry next HTTP/2 backend address when connection
* nghttpx: Enable link header field based push for non-final
* nghttpx: Fix bug that logger wrote string which was not
* nghttpx: Fix bug that backend tls keyword did not work with -s
* lib: Add nghttp2_error_callback to tell application human
* lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
* integration: Disable tests that sometimes break randomly on
* h2load: Fix bug that initial max concurrent streams was too
OBS-URL: https://build.opensuse.org/request/show/1123980
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=76
- spec file cleanups
For example, if GOAWAY frame has been received, a
* https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
checking leading and trailing white spaces against HTTP field value.
* https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
* third-party: Bump neverbleed based on the latest head (GH-1708)
* see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
* see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
* nghttpx: Fix logging integer
- Conditionally remove dependecy on jemalloc for SLE-12
if table size is changed from default
* Add nghttp2_option_set_max_send_header_block_length API
* Fix warning: declaration of 'free' shadows a global declaration
* nghttpx: Add healthmon parameter to -f option to enable health
* nghttpx: Add --api-max-request-body option to set maximum API
* nghttpx: Add api parameter to --frontend option to mark API
* h2load: Add content-length header field for HTTP/2 and SPDY as
* Run error callback when peer does not send initial SETTINGS
* nghttpx: Fix bug that server push from mruby script did not
* nghttpx: Try next HTTP/1 backend address when connection
* nghttpx: Retry next HTTP/2 backend address when connection
* nghttpx: Enable link header field based push for non-final
* nghttpx: Fix bug that logger wrote string which was not
* nghttpx: Fix bug that backend tls keyword did not work with -s
* lib: Add nghttp2_error_callback to tell application human
* lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
* integration: Disable tests that sometimes break randomly on
* h2load: Fix bug that initial max concurrent streams was too
* nghttpx: Workaround for Ubuntu 15.04 which does not
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=116
- version update to 1.57.0 [bsc#1216174]
1.57.0
* Fixes CVE-2023-44487
* Bump ngtcp2 by @tatsuhiro-t in #1944
* Add dependabot to update actions by @tatsuhiro-t in #1946
* Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950
* Bump actions/setup-go from 3 to 4 by @dependabot in #1948
* Bump actions/checkout from 3 to 4 by @dependabot in #1949
* Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947
* docker: Bump base image to debian 12 by @tatsuhiro-t in #1951
* nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953
* Bump quictls by @tatsuhiro-t in #1945
* Apps fix by @tatsuhiro-t in #1957
* nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958
* Fix clang-format by @tatsuhiro-t in #1959
* Rework session management by @tatsuhiro-t in #1961
1.56.0
* doc: Bump boringssl by @tatsuhiro-t in #1928
* Fix memory leak by @tatsuhiro-t in #1930
* Return void by @tatsuhiro-t in #1931
* nghttpx: Rework sending and receiving ECN bits by @tatsuhiro-t in #1934
* CMSG_DATA does not necessarily return an aligned pointer by @tatsuhiro-t in #1935
* Bump quictls by @tatsuhiro-t in #1937
* Bump ngtcp2 and its dependencies by @tatsuhiro-t in #1939
* nghttpx: Simplify std::unique_ptr get and release by @tatsuhiro-t in #1940
* Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by @tatsuhiro-t in #1941
* Bump libbpf to v1.2.2 by @tatsuhiro-t in #1942
* Update Dockerfile by @tatsuhiro-t in #1943
OBS-URL: https://build.opensuse.org/request/show/1117984
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=115
- update to 1.55.1:
* Fix memory leak
This commit fixes memory leak that happens when
PUSH_PROMISE or HEADERS frame cannot be sent, and
nghttp2_on_stream_close_callback fails with a fatal error.
For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945
by envoyproxy/envoy project. During embargo period, the
patch to fix this bug was accidentally submitted to
nghttp2/nghttp2 repository [2]. And they decided to
disclose CVE early. I was notified just 1.5 hours
before disclosure. I had no time to respond.
PoC described in [1] is quite simple, but I think it is
not enough to trigger this bug. While it is true that
receiving GOAWAY prevents a client from opening new stream,
and nghttp2 enters error handling branch, in order to cause
the memory leak, nghttp2_session_close_stream function
must return a fatal error.
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
memory. It is unlikely that a process gets short of
memory with this simple PoC scenario unless application
does something memory heavy processing.
* NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
defined callback function (nghttp2_on_stream_close_callback, in
this case), which indicates something fatal happened inside a
callback, and a connection must be closed immediately without
any further action. As nghttp2_on_stream_close_error_callback
documentation says, any error code other than 0 or
NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
OBS-URL: https://build.opensuse.org/request/show/1099190
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=74
- update to 1.55.1:
* Fix memory leak
This commit fixes memory leak that happens when
PUSH_PROMISE or HEADERS frame cannot be sent, and
nghttp2_on_stream_close_callback fails with a fatal error.
For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945
by envoyproxy/envoy project. During embargo period, the
patch to fix this bug was accidentally submitted to
nghttp2/nghttp2 repository [2]. And they decided to
disclose CVE early. I was notified just 1.5 hours
before disclosure. I had no time to respond.
PoC described in [1] is quite simple, but I think it is
not enough to trigger this bug. While it is true that
receiving GOAWAY prevents a client from opening new stream,
and nghttp2 enters error handling branch, in order to cause
the memory leak, nghttp2_session_close_stream function
must return a fatal error.
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
memory. It is unlikely that a process gets short of
memory with this simple PoC scenario unless application
does something memory heavy processing.
* NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
defined callback function (nghttp2_on_stream_close_callback, in
this case), which indicates something fatal happened inside a
callback, and a connection must be closed immediately without
any further action. As nghttp2_on_stream_close_error_callback
documentation says, any error code other than 0 or
NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
OBS-URL: https://build.opensuse.org/request/show/1098813
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=113
