Log message:
nghttp2: updated to 1.61.0

Nghttp2 v1.61.0

Security Advisory

CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause \ 
excessive CPU usage

Log message:
www/nhttp2: Clarify c-only comment

The actual situation, a tarball mainly having a C library with an
example program in C++, was not explained clearly enough.

Log message:
nghttp2: updated to 1.60.0

Nghttp2 v1.60.0

lib

RFC 7540 priorities (aka stream dependencies) APIs have been deprecated. They \ 
work just like before, but in the future release after the end of 2024, the \ 
functionality is removed, and the deprecated APIs start behaving differently. \ 
See the API documentation for details. RFC 7540 priorities have been deprecated \ 
by RFC 9113. Consider migrating RFC 9218 extensible prioritization scheme.

The APIs that use ssize_t, including structs and callback functions, have been \ 
deprecated. New APIs that use nghttp2_ssize are introduced as a replacement. The \ 
usage of ssize_t is problematic for several reasons. Some platforms do not \ 
define ssize_t. The minimum value of ssize_t that POSIX requires is -1 which \ 
makes nghttp2 error code out of range. nghttp2_ssize is an alias of ptrdiff_t \ 
that is in C standard and covers our error code range.

New code should use new nghttp2_ssize APIs. The existing applications should \ 
consider migrating to new APIs.

The deprecated ssize_t APIs continue to work for backward compatibility.

Here is the summary of the deprecated APIs and their replacements:

Callback functions:

nghttp2_data_source_read_callback => nghttp2_data_source_read_callback2
nghttp2_data_source_read_length_callback => \ 
nghttp2_data_source_read_length_callback2
nghttp2_pack_extension_callback => nghttp2_pack_extension_callback2
nghttp2_recv_callback => nghttp2_recv_callback2
nghttp2_select_padding_callback => nghttp2_select_padding_callback2
nghttp2_send_callback => nghttp2_send_callback2

Structs:

nghttp2_data_provider => nghttp2_data_provider2

Functions:

nghttp2_hd_deflate_hd => nghttp2_hd_deflate_hd2
nghttp2_hd_deflate_hd_vec => nghttp2_hd_deflate_hd_vec2
nghttp2_hd_inflate_hd2 => nghttp2_hd_inflate_hd3
nghttp2_pack_settings_payload => nghttp2_pack_settings_payload2
nghttp2_session_callbacks_set_data_source_read_length_callback => \ 
nghttp2_session_callbacks_set_data_source_read_length_callback2
nghttp2_session_callbacks_set_pack_extension_callback => \ 
nghttp2_session_callbacks_set_pack_extension_callback2
nghttp2_session_callbacks_set_recv_callback => \ 
nghttp2_session_callbacks_set_recv_callback2
nghttp2_session_callbacks_set_select_padding_callback => \ 
nghttp2_session_callbacks_set_select_padding_callback2
nghttp2_session_callbacks_set_send_callback => \ 
nghttp2_session_callbacks_set_send_callback2
nghttp2_session_mem_recv => nghttp2_session_mem_recv2
nghttp2_session_mem_send => nghttp2_session_mem_send2
nghttp2_submit_data => nghttp2_submit_data2
nghttp2_submit_request => nghttp2_submit_request2
nghttp2_submit_response => nghttp2_submit_response2
For those applications that do not want to see ssize_t in nghttp2.h header file \ 
at all, define NGHTTP2_NO_SSIZE_T macro before including nghttp2.h. It hides all \ 
ssize_t APIs.

Log message:
nghttp2*: update to 1.59.0

lib

This release adds API to get and parse RFC 9218 priority.

nghttp2_select_next_protocol() has been deprecated. Use nghttp2_select_alpn() \ 
instead.
build

The following dependencies have been updated:

    ngtcp2
    libbpf

h2load

h2load now considers all h2 HEADERS when counting bytes and recording TTFB.

This release fixes the bug that TTFB is not recorded if h3 stream has no data.

h2load now ignores 1xx status code.

IPv6 address is now enclosed by square brackets when set in :authority header field.
nghttpx

This release adds SSL_CTX_set_recv_max_early_data() call which OpenSSL requires.

__FILE_NAME__ macro is preferred if available.

nghttpx now propagates stream priority from backend to frontend.

This release fixes the bug that nghttpx sends QUIC RESET_STREAM when it receives \ 
RESET_STREAM from client.
src

This release drops old OpenSSL (< 1.1.1) support.

Now bundled applications can be built with aws-lc.

Log message:
*: recursive bump for icu 74.1

Log message:
nghttp2 nghttp2-tools: updated to 1.58.0

Nghttp2 v1.58.0

build

This release speeds up warning option detection with cmake.

The following dependencies have been updated:

ngtcp2
nghttp3
third-party

neverbleed has been updated.

nghttpx

This release introduces stricter transfer-encoding checks.

integration

Enable http3 test with cmake.

Log message:
nghttp2 nghttp2-tools: updated to 1.57.0

Nghttp2 v1.57.0

Security Advisory

CVE-2023-44487: HTTP/2 Rapid Reset

For more information, read the security advisory.

lib

This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has \ 
reasonable amount of default budgets for incoming RST_STREAM frames. Application \ 
can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It \ 
can also implement its own rate limit by implementing \ 
nghttp2_on_frame_recv_callback and check RST_STREAM frame.

nghttpx

This release fixes the bug that --single-process does not work. It also fixes \ 
the bug that TLS connection is not rate limited.

Log message:
nghttp2 nghttp2-tools: updated to 1.56.0

Nghttp2 v1.56.0

third-party

llhttp has been updated.

nghttpx

Rework is done in functions that send ECN bits.

--frontend-quic-congestion-controller=bbr2 has been renamed to \ 
--frontend-quic-congestion-controller=bbrv2.

nghttpx, h2load

Fix issue that CMSG_DATA does not necessarily return an aligned pointer.