We have released nghttp2 v1.57.0.
This release includes security advisory.
Security Advisory
CVE-2023-44487: HTTP/2 Rapid Reset
For more information, read the security advisory.
lib
This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset.
It has reasonable amount of default budgets for incoming RST_STREAM
frames. Application can tune the rate limit by using
nghttp2_option_set_stream_reset_rate_limit
. It can also implement
its own rate limit by implementing nghttp2_on_frame_recv_callback
and check RST_STREAM frame.
nghttpx
This release fixes the bug that --single-process
does not work.
It also fixes the bug that TLS connection is not rate limited.