We have released nghttp2 v1.39.2.
This release addresses following security issues.
- CVE-2019-9511: Data Dribble
- CVE-2019-9513: Resource Loop
The details of advisories are described here.
libnghttp2 itself is not affected by vulnerabilities reported above.
nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513.
- Affected versions: nghttp2 version < 1.39.2
- Not affected versions: nghttp2 >= 1.39.2
Upgrade to nghttp2 v1.39.2.
For nghttpx, additionally limiting inbound traffic by
--read-burst options is quite effective against this kind of