From dc40b8ad083539886ce0a1b6619b2ab63b388d561ca56ba94282cf3a2f941045 Mon Sep 17 00:00:00 2001
From: Martin Pluskal <mpluskal@suse.com>
Date: Mon, 19 Aug 2019 13:20:08 +0000
Subject: [PATCH] Accepting request 724578 from
 home:adamm:branches:devel:libraries:c_c++
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update to version 1.39.2 (bsc#1146184, bsc#1146182):
  * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
  “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
  frames cause Denial of Service by consuming CPU time. Check out
  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  for details. For nghttpx, additionally limiting inbound traffic by
  --read-rate and --read-burst options is quite effective against
  this kind of attack.
  * Add nghttp2_option_set_max_outbound_ack API function
  * nghttpx: Fix request stall

OBS-URL: https://build.opensuse.org/request/show/724578
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/nghttp2?expand=0&rev=96
---
 nghttp2-1.39.1.tar.xz |  3 ---
 nghttp2-1.39.2.tar.xz |  3 +++
 nghttp2.changes       | 15 +++++++++++++++
 nghttp2.spec          |  2 +-
 4 files changed, 19 insertions(+), 4 deletions(-)
 delete mode 100644 nghttp2-1.39.1.tar.xz
 create mode 100644 nghttp2-1.39.2.tar.xz

diff --git a/nghttp2-1.39.1.tar.xz b/nghttp2-1.39.1.tar.xz
deleted file mode 100644
index 32a60f3..0000000
--- a/nghttp2-1.39.1.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:679160766401f474731fd60c3aca095f88451e3cc4709b72306e4c34cf981448
-size 1634512
diff --git a/nghttp2-1.39.2.tar.xz b/nghttp2-1.39.2.tar.xz
new file mode 100644
index 0000000..51e8c60
--- /dev/null
+++ b/nghttp2-1.39.2.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2d216450abd2beaf4e200c168957968e89d602ca4119338b9d7ab059fd4ce8b
+size 1635428
diff --git a/nghttp2.changes b/nghttp2.changes
index b53d1e2..15ee165 100644
--- a/nghttp2.changes
+++ b/nghttp2.changes
@@ -3,6 +3,21 @@ Mon Aug 19 12:27:38 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
 
 - Require correct library from devel package - boo#1125689
 
+-------------------------------------------------------------------
+Mon Aug 19 12:02:09 UTC 2019 - Adam Majer <adam.majer@suse.de>
+
+- Update to version 1.39.2 (bsc#1146184, bsc#1146182):
+  * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
+  “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
+  frames cause Denial of Service by consuming CPU time. Check out
+  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
+  for details. For nghttpx, additionally limiting inbound traffic by
+  --read-rate and --read-burst options is quite effective against
+  this kind of attack.
+
+  * Add nghttp2_option_set_max_outbound_ack API function
+  * nghttpx: Fix request stall
+
 -------------------------------------------------------------------
 Tue Aug 13 13:22:01 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
 
diff --git a/nghttp2.spec b/nghttp2.spec
index 89df79e..2a0a52d 100644
--- a/nghttp2.spec
+++ b/nghttp2.spec
@@ -29,7 +29,7 @@
 %bcond_with python
 %endif
 Name:           nghttp2%{psuffix}
-Version:        1.39.1
+Version:        1.39.2
 Release:        0
 Summary:        Implementation of Hypertext Transfer Protocol version 2 in C
 License:        MIT