We have released nghttp2 v1.57.0.
This release includes security advisory.
CVE-2023-44487: HTTP/2 Rapid Reset
For more information, read the security advisory.
This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset.
It has reasonable amount of default budgets for incoming RST_STREAM
frames. Application can tune the rate limit by using
nghttp2_option_set_stream_reset_rate_limit. It can also implement
its own rate limit by implementing
and check RST_STREAM frame.
This release fixes the bug that
--single-process does not work.
It also fixes the bug that TLS connection is not rate limited.