nghttp2.org

HTTP/2 C library and tools

Nghttp2 v1.42.0

We have released nghttp2 v1.42.0.

lib

The UBSAN errors are now fixed.

nghttp2_map is now backed by tree for storing collisions.

doc

Some clarifications are made for nghttp2_session_send function.

build

The missing cmake/FindSystemd.cmake has been added to the tar distribution.

third-party

Bump llhttp to 2.2.0 and mruby to 2.1.2.

nghttpx

This release fixes the bug that nghttpx cannot deal with the case when h2 backend is retired before it is initialized.

New access logging variables are added: $method, $path, $path_without_query, and $protocol_version.

The bug that makes nghttpx stall when TLS follows after proxy protocol was fixed.

The bug in logging negative integer is fixed.

Nghttp2 v1.41.0

We have released nghttp2 v1.41.0.

This release includes security advisory.

Security Advisory

CVE-2020-11080: Denial of service: Overly large SETTINGS frames

For more information, read the security advisory.

lib

This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective.

The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens.

build

With cmake build, the hard-coded static lib suffix is now optional.

nghttpx

proxyprotocol v2 has been implemented.

The bug in getting certificate serial number with mruby script has been fixed.

h2load

New option, --connect-to, is added.

Nghttp2 v1.40.0

We have released nghttp2 v1.40.0.

lib

New API function nghttp2_check_authority has been added.

This release fixes the bug that nghttp2_on_stream_close_callback is closed with the wrong error code.

HPACK huffman encoding and decoding get faster.

build

With cmake build, filename collision is now avoided.

New flag ENABLE_STATIC_CRT is added for Windows cmake build.

Support building nghttpx with systemd has been added to cmake.

third-party

neverbleed memory leak has been fixed.

nghttpx

This release fixes the bug that mruby script is incorrectly shared between backends with different configurations.

Now nghttpx reconnects to h1 backend if it lost connection before sending header fields.

nghttpx returns 408 if backend timed out before sending header fields.

The bug that makes nghttpx stall when backend connection is reused and buffer is full has been fixed.

Nghttp2 v1.39.2

We have released nghttp2 v1.39.2.

This release addresses following security issues.

Security Advisory

  • CVE-2019-9511: Data Dribble
  • CVE-2019-9513: Resource Loop

Vulnerability

The details of advisories are described here.

libnghttp2 itself is not affected by vulnerabilities reported above.

nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513.

Affected Versions

  • Affected versions: nghttp2 version < 1.39.2
  • Not affected versions: nghttp2 >= 1.39.2

The Solution

Upgrade to nghttp2 v1.39.2.

For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

Nghttp2 v1.39.1

We have released nghttp2 v1.39.1.

This release fixes critical bugs in v1.39.0.

nghttpx

This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.

Nghttp2 v1.39.0

We have released nghttp2 v1.39.0.

lib

libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.

third-party

mruby has been upgraded to 2.0.1.

asio

libnghttp2-asio now supports boost-1.70.

src

http-parser has been replaced with llhttp.

nghttpx

nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.

This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.

Nghttp2 v1.38.0

We have released nghttp2 v1.38.0.

lib

This release fixes the bug that on_header callback is still called after stream is closed.

third-party

http-parser is upgraded to v2.9.1.

nghttpx

This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.

It also fixes the bug that HTTP/1.1 chunked request stalls.

Now nghttpx does not log authorization request header field value with -LINFO.

Now nghttpx can be built with modern LibreSSL.

Nghttp2 v1.37.0

We have released nghttp2 v1.37.0.

build

CMake build explicitly sets install location when building shared library.

nghttpx

This release fixes possible backend stall when header and request body are sent in their own packets.

The backend option gets weight parameter to influence backend selection.

This release fixes compile error with BoringSSL.

Nghttp2 v1.36.0

We have released nghttp2 v1.36.0.

build

CMake build disables shared library if ENABLE_SHARED_LIB is OFF.

third-party

http-parser has been upgraded to v2.9.0.

mruby has been upgraded to v2.0.0.

nghttpx

nghttpx now pools h1 backend connection per address and uses it when the round robin index points to the address.

nghttpx now randomizes backend address round robin order per thread.

The bug that long certificate serial numbers cannot be handled has been fixed.

h2load

An option to write per-request logs has been added.

asio

The API to get the current server port has been added.

Nghttp2 v1.35.1

We have released nghttp2 v1.35.1.

nghttpx

This release fixes the broken trailing slash handling when routing a request. nghttpx allows a pattern which ends “/” to match the request path which just lacks the trailing “/”. Previously, this special handling did not work if certain patterns were registered.