We have released nghttp2 v1.58.0.
This release fixes build issues with cygwin and mingw.
This release speeds up warning option detection with cmake.
The following dependencies have been updated:
neverbleed has been updated.
This release introduces stricter transfer-encoding checks.
Enable http3 test with cmake.
We have released nghttp2 v1.57.0.
This release includes security advisory.
CVE-2023-44487: HTTP/2 Rapid Reset
For more information, read the security advisory.
This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset.
It has reasonable amount of default budgets for incoming RST_STREAM
frames. Application can tune the rate limit by using
nghttp2_option_set_stream_reset_rate_limit. It can also implement
its own rate limit by implementing nghttp2_on_frame_recv_callback
and check RST_STREAM frame.
This release fixes the bug that --single-process does not work.
It also fixes the bug that TLS connection is not rate limited.
We have released nghttp2 v1.56.0.
The following dependencies have been updated:
llhttp has been updated.
Rework is done in functions that send ECN bits.
--frontend-quic-congestion-controller=bbr2 has been renamed to
--frontend-quic-congestion-controller=bbrv2.
Fix issue that CMSG_DATA does not necessarily return an aligned pointer.
We have released nghttp2 v1.55.1.
This release includes security advisory.
CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec
For more information, read the security advisory.
This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.
This release fixes memory leak that happens when PUSH_PROMISE or
HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
fails with a fatal error. For example, if GOAWAY frame has been
received, a HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.
PoC described in CVE is quite simple, but I think it is not enough to
trigger this bug. While it is true that receiving GOAWAY prevents a
client from opening new stream, and nghttp2 enters error handling
branch, in order to cause the memory leak,
nghttp2_session_close_stream function must return a fatal error.
nghttp2 defines 2 fatal error codes:
NGHTTP2_ERR_NOMEMNGHTTP2_ERR_CALLBACK_FAILURENGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory.
It is unlikely that a process gets short of memory with this simple
PoC scenario unless application does something memory heavy
processing.
NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined
callback function (nghttp2_on_stream_close_callback, in this case),
which indicates something fatal happened inside a callback, and a
connection must be closed immediately without any further action. As
nghttp2_on_stream_close_error_callback documentation says, any error
code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as
fatal error code. More specifically, it is treated as if
NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy
returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is
translated into NGHTTP2_ERR_CALLBACK_FAILURE.
We have released nghttp2 v1.55.0.
The following dependencies have been updated:
This release fixes build error without libev.
llhttp has been updated.
Cross-compiling mruby is now supported.
UDP_GRO is enabled for QUIC socket.
The initial QUIC packet number is now randomized.
UDP_GRO is enabled for QUIC socket.
We have released nghttp2 v1.54.0.
The following dependencies have been updated:
This release fixes HTTP/3 upload stall bug.
We have released nghttp2 v1.53.0.
libnghttp2 uses ngtcp2/sfparse to parse Structured Field Values.
The following dependencies have been updated:
Bumped mruby to 3.2.0.
nghttpx now sends NEW_TOKEN on path change.
This release fixes numeric hostname verification in peer certificate.
When quitting, nghttpx now waits for all worker processes to stop. Previously, we just exit the event loop when the last process exits. But the because of the bug, it does not work as intended.
nghttpx logs a correct PID on fork.
nghttpx now waits for new worker process to be ready before sending graceful shutdown event to the existing worker processes to avoid down time during configuration reload.
Fixes the bug that causes 400 response after HTTP upgrade failure.
We have released nghttp2 v1.52.0.
sphinx_rtd_theme has been removed from the repository and archive.
The following dependencies have been updated:
CMake build now checks core and extra components to find libevent.
The deprecated Python bindings has been removed.
The deprecated libnghttp2_asio has been removed.
llhttp and neverbleed have been updated.
This release fixes the bug that stalls TLS connection.
This release adds more http3 integration tests.
We have released nghttp2 v1.51.0.
This release adds casts to silence implicit conversion warnings for windows build.
Updated packages described in README based on Ubuntu 22.04.
Android documentation has been updated.
The following dependencies have been updated:
Python bindings are now disabled by default because it has been deprecated.
llhttp has been updated.
This release fixes affinity-cookie-stickiness parameter handling.
This release adds http3 integration test.
We have released nghttp2 v1.50.0.
This release adds
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
which disables checking leading and trailing white spaces against HTTP
field value.
nghttpx now respects backend-address-family option when dynamically
resolving backend host with dns parameter in backend option.