We have released nghttp2 v1.41.0.
This release includes security advisory.
CVE-2020-11080: Denial of service: Overly large SETTINGS frames
For more information, read the security advisory.
This release implements
nghttp2_option_set_max_settings API which
sets the maximum number of SETTINGS entries in one SETTINGS frame to
mitigate the security issue. It also moves SETTINGS flood check
earlier to make it more effective.
The bug which stalls receiving stream data is fixed. Previously, if
automatic window update is enabled (which is default), after window
size is set to 0 by
nghttp2_session_set_local_window_size, once the
receiving window is exhausted, even after window size is increased by
nghttp2_session_set_local_window_size, no more data cannot be
received. This is because
does not submit WINDOW_UPDATE. It is only triggered when new data
arrives but since window is filled up, no more data cannot be
received, thus dead lock happens.
With cmake build, the hard-coded static lib suffix is now optional.
proxyprotocol v2 has been implemented.
The bug in getting certificate serial number with mruby script has been fixed.
--connect-to, is added.