- add keyring for gpg validation
- spec file cleanups
For example, if GOAWAY frame has been received, a
* https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
checking leading and trailing white spaces against HTTP field value.
* https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
* third-party: Bump neverbleed based on the latest head (GH-1708)
* see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
* see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
* nghttpx: Fix logging integer
- Conditionally remove dependecy on jemalloc for SLE-12
if table size is changed from default
* Add nghttp2_option_set_max_send_header_block_length API
* Fix warning: declaration of 'free' shadows a global declaration
* nghttpx: Add healthmon parameter to -f option to enable health
* nghttpx: Add --api-max-request-body option to set maximum API
* nghttpx: Add api parameter to --frontend option to mark API
* h2load: Add content-length header field for HTTP/2 and SPDY as
* Run error callback when peer does not send initial SETTINGS
* nghttpx: Fix bug that server push from mruby script did not
* nghttpx: Try next HTTP/1 backend address when connection
* nghttpx: Retry next HTTP/2 backend address when connection
* nghttpx: Enable link header field based push for non-final
* nghttpx: Fix bug that logger wrote string which was not
* nghttpx: Fix bug that backend tls keyword did not work with -s
* lib: Add nghttp2_error_callback to tell application human
* lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
* integration: Disable tests that sometimes break randomly on
* h2load: Fix bug that initial max concurrent streams was too
OBS-URL: https://build.opensuse.org/request/show/1123980
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=76
- spec file cleanups
For example, if GOAWAY frame has been received, a
* https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
checking leading and trailing white spaces against HTTP field value.
* https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
* third-party: Bump neverbleed based on the latest head (GH-1708)
* see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
* see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
* nghttpx: Fix logging integer
- Conditionally remove dependecy on jemalloc for SLE-12
if table size is changed from default
* Add nghttp2_option_set_max_send_header_block_length API
* Fix warning: declaration of 'free' shadows a global declaration
* nghttpx: Add healthmon parameter to -f option to enable health
* nghttpx: Add --api-max-request-body option to set maximum API
* nghttpx: Add api parameter to --frontend option to mark API
* h2load: Add content-length header field for HTTP/2 and SPDY as
* Run error callback when peer does not send initial SETTINGS
* nghttpx: Fix bug that server push from mruby script did not
* nghttpx: Try next HTTP/1 backend address when connection
* nghttpx: Retry next HTTP/2 backend address when connection
* nghttpx: Enable link header field based push for non-final
* nghttpx: Fix bug that logger wrote string which was not
* nghttpx: Fix bug that backend tls keyword did not work with -s
* lib: Add nghttp2_error_callback to tell application human
* lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
* integration: Disable tests that sometimes break randomly on
* h2load: Fix bug that initial max concurrent streams was too
* nghttpx: Workaround for Ubuntu 15.04 which does not
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=116
- version update to 1.57.0 [bsc#1216174]
1.57.0
* Fixes CVE-2023-44487
* Bump ngtcp2 by @tatsuhiro-t in #1944
* Add dependabot to update actions by @tatsuhiro-t in #1946
* Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950
* Bump actions/setup-go from 3 to 4 by @dependabot in #1948
* Bump actions/checkout from 3 to 4 by @dependabot in #1949
* Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947
* docker: Bump base image to debian 12 by @tatsuhiro-t in #1951
* nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953
* Bump quictls by @tatsuhiro-t in #1945
* Apps fix by @tatsuhiro-t in #1957
* nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958
* Fix clang-format by @tatsuhiro-t in #1959
* Rework session management by @tatsuhiro-t in #1961
1.56.0
* doc: Bump boringssl by @tatsuhiro-t in #1928
* Fix memory leak by @tatsuhiro-t in #1930
* Return void by @tatsuhiro-t in #1931
* nghttpx: Rework sending and receiving ECN bits by @tatsuhiro-t in #1934
* CMSG_DATA does not necessarily return an aligned pointer by @tatsuhiro-t in #1935
* Bump quictls by @tatsuhiro-t in #1937
* Bump ngtcp2 and its dependencies by @tatsuhiro-t in #1939
* nghttpx: Simplify std::unique_ptr get and release by @tatsuhiro-t in #1940
* Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by @tatsuhiro-t in #1941
* Bump libbpf to v1.2.2 by @tatsuhiro-t in #1942
* Update Dockerfile by @tatsuhiro-t in #1943
OBS-URL: https://build.opensuse.org/request/show/1117984
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=115
- update to 1.55.1:
* Fix memory leak
This commit fixes memory leak that happens when
PUSH_PROMISE or HEADERS frame cannot be sent, and
nghttp2_on_stream_close_callback fails with a fatal error.
For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945
by envoyproxy/envoy project. During embargo period, the
patch to fix this bug was accidentally submitted to
nghttp2/nghttp2 repository [2]. And they decided to
disclose CVE early. I was notified just 1.5 hours
before disclosure. I had no time to respond.
PoC described in [1] is quite simple, but I think it is
not enough to trigger this bug. While it is true that
receiving GOAWAY prevents a client from opening new stream,
and nghttp2 enters error handling branch, in order to cause
the memory leak, nghttp2_session_close_stream function
must return a fatal error.
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
memory. It is unlikely that a process gets short of
memory with this simple PoC scenario unless application
does something memory heavy processing.
* NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
defined callback function (nghttp2_on_stream_close_callback, in
this case), which indicates something fatal happened inside a
callback, and a connection must be closed immediately without
any further action. As nghttp2_on_stream_close_error_callback
documentation says, any error code other than 0 or
NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
OBS-URL: https://build.opensuse.org/request/show/1099190
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=74
- update to 1.55.1:
* Fix memory leak
This commit fixes memory leak that happens when
PUSH_PROMISE or HEADERS frame cannot be sent, and
nghttp2_on_stream_close_callback fails with a fatal error.
For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945
by envoyproxy/envoy project. During embargo period, the
patch to fix this bug was accidentally submitted to
nghttp2/nghttp2 repository [2]. And they decided to
disclose CVE early. I was notified just 1.5 hours
before disclosure. I had no time to respond.
PoC described in [1] is quite simple, but I think it is
not enough to trigger this bug. While it is true that
receiving GOAWAY prevents a client from opening new stream,
and nghttp2 enters error handling branch, in order to cause
the memory leak, nghttp2_session_close_stream function
must return a fatal error.
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of
memory. It is unlikely that a process gets short of
memory with this simple PoC scenario unless application
does something memory heavy processing.
* NGHTTP2_ERR_CALLBACK_FAILURE is returned from application
defined callback function (nghttp2_on_stream_close_callback, in
this case), which indicates something fatal happened inside a
callback, and a connection must be closed immediately without
any further action. As nghttp2_on_stream_close_error_callback
documentation says, any error code other than 0 or
NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
OBS-URL: https://build.opensuse.org/request/show/1098813
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=113
- update to 1.42.0:
* lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
* lib: Don't send RST_STREAM to idle stream (GH-1477)
* lib: nghttp2_map backed by nghttp2_ksl
* doc: Update sphinx_rtd_theme
* doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
* doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
* build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
* third-party: Bump llhttp to 2.2.0
* third-party: Bump mruby to 2.1.2
* nghttpx: Deal with the case when h2 backend is retired before it is initialized
* nghttpx: Add accesslog variables to record request path without query (GH-1511)
* nghttpx: Fix stall when TLS follows after proxy protocol
* nghttpx: Fix logging integer
OBS-URL: https://build.opensuse.org/request/show/860715
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=101
- Update to 1.41.0
* Fix CVE-2020-11080
* lib: Implement max settings option (Patch from James M Snell)
* lib: Earlier check for settings flood (Patch from James M Snell)
* lib: Fix receiving stream data stall (GH-1444)
* build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418)
* third-party: Bump llhttp to 2.0.4 (GH-1442)
* nghttpx: Add PROXY-protocol v2 support (GH-1452)
* nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455)
* h2load: Allow port in --connect-to
* h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426)
OBS-URL: https://build.opensuse.org/request/show/811122
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=100
- Update to version 1.40.0
* lib: Add nghttp2_check_authority as public API
* lib: Fix the bug that stream is closed with wrong error code
* lib: Faster huffman encoding and decoding
* build: Avoid filename collision of static and dynamic lib
* build: Add new flag ENABLE_STATIC_CRT for Windows
* build: cmake: Support building nghttpx with systemd
* third-party: Update neverbleed to fix memory leak
* nghttpx: Fix bug that mruby is incorrectly shared between
backends
* nghttpx: Reconnect h1 backend if it lost connection before
sending headers
* nghttpx: Returns 408 if backend timed out before sending
headers
* nghttpx: Fix request stal
OBS-URL: https://build.opensuse.org/request/show/765237
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=99
- Update to version 1.39.1:
* This release fixes the bug that log-level is not set with
cmd-line or configuration file. It also fixes FPE with default
backend.
- Changes for version 1.39.0:
* libnghttp2 now ignores content-length in 200 response to
CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
or 200 to CONNECT.
- Drop no longer needed boost170.patch
OBS-URL: https://build.opensuse.org/request/show/723082
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=58
* This release fixes the bug that log-level is not set with
cmd-line or configuration file. It also fixes FPE with default
backend.
- Changes for version 1.39.0:
* libnghttp2 now ignores content-length in 200 response to
CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
or 200 to CONNECT.
- Drop no longer needed boost170.patch
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=94
- Update to 1.38.0:
* This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.
* It also fixes the bug that HTTP/1.1 chunked request stalls.
* Now nghttpx does not log authorization request header field value with -LINFO.
* This release fixes possible backend stall when header and request body are sent in their own packets.
* The backend option gets weight parameter to influence backend selection.
* This release fixes compile error with BoringSSL.
- Add patch from upstream to build with new boost bsc#1134616:
* boost170.patch
OBS-URL: https://build.opensuse.org/request/show/701941
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nghttp2?expand=0&rev=57
* This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.
* It also fixes the bug that HTTP/1.1 chunked request stalls.
* Now nghttpx does not log authorization request header field value with -LINFO.
* This release fixes possible backend stall when header and request body are sent in their own packets.
* The backend option gets weight parameter to influence backend selection.
* This release fixes compile error with BoringSSL.
- Add patch from upstream to build with new boost bsc#1134616:
* boost170.patch
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=93
* nghttpx: Fix broken trailing slash handling (GH-1276)
- Changes for version 1.35:
* build: cmake: Fix libevent version detection (Patch from Jan Kundrát) (GH-1238)
* lib: Use __has_declspec_attribute for shared builds (Patch from Don) (GH-1222)
* src: Require C++14 language feature
* nghttpx: Write mruby send_info early
* nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend
* h2load: Handle HTTP/1 non-final response (GH-1259)
* h2load: Clarify that time for connect includes TLS handshake
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=89
