We have released nghttp2 v1.57.0.

This release includes security advisory.

Security Advisory

CVE-2023-44487: HTTP/2 Rapid Reset

For more information, read the security advisory.

lib

This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has reasonable amount of default budgets for incoming RST_STREAM frames. Application can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It can also implement its own rate limit by implementing nghttp2_on_frame_recv_callback and check RST_STREAM frame.

nghttpx

This release fixes the bug that --single-process does not work. It also fixes the bug that TLS connection is not rate limited.

We have released nghttp2 v1.56.0.

build

The following dependencies have been updated:

• ngtcp2
• nghttp3
• BoringSSL
• quictls
• libbpf

third-party

llhttp has been updated.

nghttpx

Rework is done in functions that send ECN bits.

--frontend-quic-congestion-controller=bbr2 has been renamed to --frontend-quic-congestion-controller=bbrv2.

nghttpx, h2load

Fix issue that CMSG_DATA does not necessarily return an aligned pointer.

We have released nghttp2 v1.55.1.

This release includes security advisory.

Security Advisory

CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec

For more information, read the security advisory.

This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.

lib

This release fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent.

This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.

PoC described in CVE is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. nghttp2 defines 2 fatal error codes:

• NGHTTP2_ERR_NOMEM
• NGHTTP2_ERR_CALLBACK_FAILURE

NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing.

NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE.

We have released nghttp2 v1.55.0.

build

The following dependencies have been updated:

• ngtcp2
• nghttp3
• BoringSSL

This release fixes build error without libev.

third-party

llhttp has been updated.

Cross-compiling mruby is now supported.

nghttpx

UDP_GRO is enabled for QUIC socket.

The initial QUIC packet number is now randomized.

h2load

UDP_GRO is enabled for QUIC socket.

We have released nghttp2 v1.54.0.

build

The following dependencies have been updated:

• ngtcp2
• nghttp3
• OpenSSL(quictls)
• BoringSSL
• libbpf

h2load

This release fixes HTTP/3 upload stall bug.

We have released nghttp2 v1.53.0.

lib

libnghttp2 uses ngtcp2/sfparse to parse Structured Field Values.

build

The following dependencies have been updated:

• ngtcp2
• nghttp3
• OpenSSL(quictls)
• BoringSSL

third-party

Bumped mruby to 3.2.0.

nghttpx

nghttpx now sends NEW_TOKEN on path change.

This release fixes numeric hostname verification in peer certificate.

When quitting, nghttpx now waits for all worker processes to stop. Previously, we just exit the event loop when the last process exits. But the because of the bug, it does not work as intended.

nghttpx logs a correct PID on fork.

nghttpx now waits for new worker process to be ready before sending graceful shutdown event to the existing worker processes to avoid down time during configuration reload.

Fixes the bug that causes 400 response after HTTP upgrade failure.

We have released nghttp2 v1.52.0.

doc

sphinx_rtd_theme has been removed from the repository and archive.

build

The following dependencies have been updated:

• ngtcp2
• nghttp3
• OpenSSL(quictls)
• BoringSSL
• libbpf

CMake build now checks core and extra components to find libevent.

python

The deprecated Python bindings has been removed.

libnghttp2_asio

The deprecated libnghttp2_asio has been removed.

third-party

llhttp and neverbleed have been updated.

nghttpx

This release fixes the bug that stalls TLS connection.

integration

This release adds more http3 integration tests.

We have released nghttp2 v1.51.0.

lib

This release adds casts to silence implicit conversion warnings for windows build.

doc

Updated packages described in README based on Ubuntu 22.04.

Android documentation has been updated.

build

The following dependencies have been updated:

• Android NDK
• libbpf
• OpenSSL
• ngtcp2

Python bindings are now disabled by default because it has been deprecated.

third-party

llhttp has been updated.

nghttpx

This release fixes affinity-cookie-stickiness parameter handling.

integration

This release adds http3 integration test.

We have released nghttp2 v1.50.0.

lib

This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value.

nghttpx

nghttpx now respects backend-address-family option when dynamically resolving backend host with dns parameter in backend option.

We have released nghttp2 v1.49.0.

lib

This release adds nghttp2_check_header_value_rfc9113 which complains leading and trailing white spaces. The library now uses this function instead of nghttp2_check_header_value when checking HTTP header fields.

asio

libnghttp2_asio has been moved to its own repository and got new maintainer. libnghttp2_asio related code in nghttp2 repository will not get any updates and be removed at the end of 2022.

python

Python bindings have been deprecated, and will not get any updates and be removed at the end of 2022 due to the maintenance issues.

nghttpx

Randomizing backend server selection has been added again.

The broken PROXY-protocol when TLS is used has been fixed.

nghttpx now removes trailing white spaces from HTTP header fields to align with RFC 9113.