./www/nghttp2, Implementation of HTTP/2 in C

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.59.0, Package name: nghttp2-1.59.0, Maintainer: pkgsrc-users

nghttp2 is an implementation of HTTP/2 in C.


Required to run:
[textproc/libxml2] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 1510.699 KB

Version history: (Expand)


CVS history: (Expand)


   2024-01-21 20:58:52 by Thomas Klausner | Files touched by this commit (4) | Package updated
Log message:
nghttp2*: update to 1.59.0

lib

This release adds API to get and parse RFC 9218 priority.

nghttp2_select_next_protocol() has been deprecated. Use nghttp2_select_alpn() \ 
instead.
build

The following dependencies have been updated:

    ngtcp2
    libbpf

h2load

h2load now considers all h2 HEADERS when counting bytes and recording TTFB.

This release fixes the bug that TTFB is not recorded if h3 stream has no data.

h2load now ignores 1xx status code.

IPv6 address is now enclosed by square brackets when set in :authority header field.
nghttpx

This release adds SSL_CTX_set_recv_max_early_data() call which OpenSSL requires.

__FILE_NAME__ macro is preferred if available.

nghttpx now propagates stream priority from backend to frontend.

This release fixes the bug that nghttpx sends QUIC RESET_STREAM when it receives \ 
RESET_STREAM from client.
src

This release drops old OpenSSL (< 1.1.1) support.

Now bundled applications can be built with aws-lc.
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-10-28 17:34:06 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nghttp2 nghttp2-tools: updated to 1.58.0

Nghttp2 v1.58.0

build

This release speeds up warning option detection with cmake.

The following dependencies have been updated:

ngtcp2
nghttp3
third-party

neverbleed has been updated.

nghttpx

This release introduces stricter transfer-encoding checks.

integration

Enable http3 test with cmake.
   2023-10-10 17:24:36 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nghttp2 nghttp2-tools: updated to 1.57.0

Nghttp2 v1.57.0

Security Advisory

CVE-2023-44487: HTTP/2 Rapid Reset

For more information, read the security advisory.

lib

This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has \ 
reasonable amount of default budgets for incoming RST_STREAM frames. Application \ 
can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It \ 
can also implement its own rate limit by implementing \ 
nghttp2_on_frame_recv_callback and check RST_STREAM frame.

nghttpx

This release fixes the bug that --single-process does not work. It also fixes \ 
the bug that TLS connection is not rate limited.
   2023-09-06 20:03:32 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nghttp2 nghttp2-tools: updated to 1.56.0

Nghttp2 v1.56.0

third-party

llhttp has been updated.

nghttpx

Rework is done in functions that send ECN bits.

--frontend-quic-congestion-controller=bbr2 has been renamed to \ 
--frontend-quic-congestion-controller=bbrv2.

nghttpx, h2load

Fix issue that CMSG_DATA does not necessarily return an aligned pointer.
   2023-07-15 18:07:29 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nghttp2 nghttp2-tools: updated to 1.55.1

Nghttp2 v1.55.1

Security Advisory

CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec

For more information, read the security advisory.

This CVE was filed by envoyproxy/envoy project, and has already been made \ 
public, and we did not take usual security procedure. See below why.

lib

This release fixes memory leak that happens when PUSH_PROMISE or HEADERS frame \ 
cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. \ 
For example, if GOAWAY frame has been received, a HEADERS frame that opens new \ 
stream cannot be sent.

This issue has already been made public via CVE-2023-35945 issued by \ 
envoyproxy/envoy project. During embargo period, the patch to fix this bug was \ 
accidentally submitted to nghttp2/nghttp2 repository. And they decided to \ 
disclose CVE early. I was notified just 1.5 hours before disclosure. I had no \ 
time to respond.

PoC described in CVE is quite simple, but I think it is not enough to trigger \ 
this bug. While it is true that receiving GOAWAY prevents a client from opening \ 
new stream, and nghttp2 enters error handling branch, in order to cause the \ 
memory leak, nghttp2_session_close_stream function must return a fatal error. \ 
nghttp2 defines 2 fatal error codes:

NGHTTP2_ERR_NOMEM
NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely \ 
that a process gets short of memory with this simple PoC scenario unless \ 
application does something memory heavy processing.

NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback \ 
function (nghttp2_on_stream_close_callback, in this case), which indicates \ 
something fatal happened inside a callback, and a connection must be closed \ 
immediately without any further action. As \ 
nghttp2_on_stream_close_error_callback documentation says, any error code other \ 
than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More \ 
specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I \ 
guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which \ 
is translated into NGHTTP2_ERR_CALLBACK_FAILURE.
   2023-07-13 16:25:59 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nghttp2, nghttp2-tools: updated to 1.55.0

Nghttp2 v1.55.0

build

The following dependencies have been updated:

ngtcp2
nghttp3
BoringSSL
This release fixes build error without libev.

third-party

llhttp has been updated.

Cross-compiling mruby is now supported.

nghttpx

UDP_GRO is enabled for QUIC socket.

The initial QUIC packet number is now randomized.

h2load

UDP_GRO is enabled for QUIC socket.
   2023-06-09 11:49:29 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
nghttp2 nghttp2-tools: updated to 1.54.0

nghttp2 v1.54.0

nghttpx: Consistent error handling and use of high-level API
h2load: Fix http3 upload stall
h2load: Use std::chrono::steady_clock for quic timestamp
Avoid ev_now
Remove unused macro bswap64
Bump ngtcp2 and nghttp3
Bump libbpf to v1.2.0
Avoid copies