Log Message:
nghttp2: updated to 1.14.0

Nghttp2 v1.41.0

Security Advisory

CVE-2020-11080: Denial of service: Overly large SETTINGS frames

For more information, read the security advisory.

lib

This release implements nghttp2_option_set_max_settings API which sets the \ 
maximum number of SETTINGS entries in one SETTINGS frame to mitigate the \ 
security issue. It also moves SETTINGS flood check earlier to make it more \ 
effective.

The bug which stalls receiving stream data is fixed. Previously, if automatic \ 
window update is enabled (which is default), after window size is set to 0 by \ 
nghttp2_session_set_local_window_size, once the receiving window is exhausted, \ 
even after window size is increased by nghttp2_session_set_local_window_size, no \ 
more data cannot be received. This is because \ 
nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only \ 
triggered when new data arrives but since window is filled up, no more data \ 
cannot be received, thus dead lock happens.

build

With cmake build, the hard-coded static lib suffix is now optional.

nghttpx

proxyprotocol v2 has been implemented.

The bug in getting certificate serial number with mruby script has been fixed.

h2load

New option, --connect-to, is added.