We have released nghttp2 v1.45.1.

build

This release fixes packaging issues which lack some configuration files in tar archives.

We have released nghttp2 v1.45.0.

lib

Stricter checks for :method: and :path pseudo header fields are introduced.

build

nghttp2 applications can be compiled with OpenSSL v3.0.0.

Fix warning about systemd when cmake is used.

Added build options to enable HTTP/3 and eBPF.

nghttpx

The experimental HTTP/3 support has been added.

“dnf” (= “do not forward”) parameter is added to backend option.

h2load

The experimental HTTP/3 support has been added.

SSLKEYLOGFILE environment variable support has been added.

We have released nghttp2 v1.44.0.

build

More --with-* configure options have been added:

• --with-jannson
• --with-zlib
• --with-libevent-openssl
• --with-libcares
• --with-openssl
• --with-libev
• --with-cunit

The following precious variables have been added:

• LIBEV_CFLAGS
• LIBEV_LIBS
• JEMALLOC_CFLAGS
• JEMALLOC_LIBS
• LIBTOOL_LDFLAGS

third-party

Bump llhttp to v6.0.2.

nghttpx

The bug which prevents a backend which is excluded from a load balancing group temporarily from being restored.

The word master is replaced main. The nghttpx master process is now called main process.

--no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively.

Remove trailing white space after $method log variable.

h2load

--rps option has been added.

The time unit (e.g., ms) is now allowed in -D option.

We have released nghttp2 v1.43.0.

This release has no changes in libnghttp2.

doc

Documentations are now built with Sphinx 3.3.0 or later.

python

The python binding now requires Python 3.

All python scripts for nghttp2 development are translated to Python 3 compatible.

nghttpx

This release fixes a potential memory issue that a memory pool gets cleared while it is still in use.

ECDSA certificate is now chosen when compatible signature algorithm is available.

This release adds a workaround to include ‘:’ in backend pattern.

We have released nghttp2 v1.42.0.

lib

The UBSAN errors are now fixed.

nghttp2_map is now backed by tree for storing collisions.

doc

Some clarifications are made for nghttp2_session_send function.

build

The missing cmake/FindSystemd.cmake has been added to the tar distribution.

third-party

Bump llhttp to 2.2.0 and mruby to 2.1.2.

nghttpx

This release fixes the bug that nghttpx cannot deal with the case when h2 backend is retired before it is initialized.

New access logging variables are added: $method, $path, $path_without_query, and $protocol_version.

The bug that makes nghttpx stall when TLS follows after proxy protocol was fixed.

The bug in logging negative integer is fixed.

We have released nghttp2 v1.41.0.

This release includes security advisory.

Security Advisory

CVE-2020-11080: Denial of service: Overly large SETTINGS frames

For more information, read the security advisory.

lib

This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective.

The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens.

build

With cmake build, the hard-coded static lib suffix is now optional.

nghttpx

proxyprotocol v2 has been implemented.

The bug in getting certificate serial number with mruby script has been fixed.

h2load

New option, --connect-to, is added.

We have released nghttp2 v1.40.0.

lib

New API function nghttp2_check_authority has been added.

This release fixes the bug that nghttp2_on_stream_close_callback is closed with the wrong error code.

HPACK huffman encoding and decoding get faster.

build

With cmake build, filename collision is now avoided.

New flag ENABLE_STATIC_CRT is added for Windows cmake build.

Support building nghttpx with systemd has been added to cmake.

third-party

neverbleed memory leak has been fixed.

nghttpx

This release fixes the bug that mruby script is incorrectly shared between backends with different configurations.

Now nghttpx reconnects to h1 backend if it lost connection before sending header fields.

nghttpx returns 408 if backend timed out before sending header fields.

The bug that makes nghttpx stall when backend connection is reused and buffer is full has been fixed.

We have released nghttp2 v1.39.2.

This release addresses following security issues.

Security Advisory

• CVE-2019-9511: Data Dribble
• CVE-2019-9513: Resource Loop

Vulnerability

The details of advisories are described here.

libnghttp2 itself is not affected by vulnerabilities reported above.

nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513.

Affected Versions

• Affected versions: nghttp2 version < 1.39.2
• Not affected versions: nghttp2 >= 1.39.2

The Solution

Upgrade to nghttp2 v1.39.2.

For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

We have released nghttp2 v1.39.1.

This release fixes critical bugs in v1.39.0.

nghttpx

This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.

We have released nghttp2 v1.39.0.

lib

libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.

third-party

mruby has been upgraded to 2.0.1.

asio

libnghttp2-asio now supports boost-1.70.

src

http-parser has been replaced with llhttp.

nghttpx

nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.

This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.