Subject: CVS commit: pkgsrc/www/nghttp2
From: Adam Ciarcinski
Date: 2023-10-10 17:24:36
Message id: 20231010152436.4373DFADC@cvs.NetBSD.org

Log Message:
nghttp2 nghttp2-tools: updated to 1.57.0

Nghttp2 v1.57.0

Security Advisory

CVE-2023-44487: HTTP/2 Rapid Reset

For more information, read the security advisory.

lib

This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has \ 
reasonable amount of default budgets for incoming RST_STREAM frames. Application \ 
can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It \ 
can also implement its own rate limit by implementing \ 
nghttp2_on_frame_recv_callback and check RST_STREAM frame.

nghttpx

This release fixes the bug that --single-process does not work. It also fixes \ 
the bug that TLS connection is not rate limited.

Files:
RevisionActionfile
1.19modifypkgsrc/www/nghttp2/Makefile.common
1.65modifypkgsrc/www/nghttp2/distinfo