nghttp2 v1.45.1

• build: Fix compile error with libressl
• build: Always include optional files to EXTRA_DIST
• build: Add missing cmake files to EXTRA_DIST

nghttp2 v1.45.0

• lib: Stricter checks for pseudo-headers :method and :path (Patch from Michael Kaufmann) (GH-1613)
• doc: Rename sphinxcontrib to rubydomain to avoid module loading error
• doc: Allow SPHINXBUILD to be overridden by environment variable
• doc: Fix reference to non-existing nghttp2_option_set_max_send_header_block_size() in comment (Patch from Amir Livneh) (GH-1610)
• doc: update document for nghttp2_session_mem_recv (Patch from Jacky_Yin) (GH-1603)
• build: Build with OpenSSL v3.0.0
• build: Fix cmake Systemd warning
• nghttpx: Check that HTTP response message finished safely
• nghttpx: Use secure random to create websocket nonce
• nghttpx: Fix heap-use-after-free on initialization failure
• nghttpx: Add experimental HTTP/3 support
• nghttpx: Add "dnf" (= "do not forward") parameter to backend option (GH-1607)
• h2load: Add qlog output support (Patch from Hajime Fujita) (GH-1569)
• h2load: Add SSLKEYLOGFILE support (Patch from Lucas Pardue) (GH-1399)
• h2load: Add experimental HTTP/3 support
• nghttpd: Fix prototype mismatch for function 'file_read_callback' (Patch from lhuang04) (GH-1602)

nghttp2 v1.44.0

lib: Port new ngtcp2 map implementation
doc: Replace master with main
build: Add precious variables for libev and jemalloc and use JEMALLOC_CFLAGS
build: Add more --with-* configure flags
build: Add LIBTOOL_LDFLAGS configure variable
third-party: Bump llhttp to 6.0.2
src: Replace black-list with block-list
nghttpx: Fix max distance in weight group/address cycle comparison
nghttpx: Set connect_blocker and live_check after shuffling addresses
nghttpx: Replace master with main
nghttpx: Remove trailing white space after $method log variable (GH-1553)
h2load: Add --rps option (GH-1559)
h2load: Allow unit in -D option
asio: fix some typos (Patch from Jan Kundrát) (GH-1550)

nghttp2 v1.43.0

doc: Make doc generation work with sphinx v3.3 (GH-1547)
python: Require python3 for python bindings (GH-1548)
python: Require python3 for python scripts (GH-1546)
nghttpx: Make sure that Pool gets cleared when all buffers are returned (GH-1544)
nghttpx: Choose ECDSA cert if compatible signature algorithm available (GH-1542)
nghttpx: Add workaround to include ':' in backend pattern (GH-1537)

nghttp2 v1.42.0

• lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
• lib: Don't send RST_STREAM to idle stream (GH-1477)
• lib: nghttp2_map backed by nghttp2_ksl
• doc: Update sphinx_rtd_theme
• doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
• doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
• build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
• third-party: Bump llhttp to 2.2.0
• third-party: Bump mruby to 2.1.2
• nghttpx: Deal with the case when h2 backend is retired before it is initialized
• nghttpx: Add accesslog variables to record request path without query (GH-1511)
• nghttpx: Fix stall when TLS follows after proxy protocol
• nghttpx: Fix logging integer

nghttp2 v1.41.0

• Fix CVE-2020-11080
• lib: Implement max settings option (Patch from James M Snell)
• lib: Earlier check for settings flood (Patch from James M Snell)
• lib: Fix receiving stream data stall (GH-1444)
• build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418)
• third-party: Bump llhttp to 2.0.4 (GH-1442)
• nghttpx: Add PROXY-protocol v2 support (GH-1452)
• nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455)
• h2load: Allow port in --connect-to
• h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426)

nghttp2 v1.40.0

• lib: Add nghttp2_check_authority as public API (GH-1413)
• lib: Fix the bug that stream is closed with wrong error code (GH-1408)
• lib: Faster huffman encoding and decoding (GH-1405)
• build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
• build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
• build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
• third-party: Update neverbleed to fix memory leak
• nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
• nghttpx: Reconnect h1 backend if it lost connection before sending headers
• nghttpx: Returns 408 if backend timed out before sending headers
• nghttpx: Fix request stall (GH-1378)

nghttp2 v1.39.2

This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

• Fix CVE-2019-9511 and CVE-2019-9513
• Add nghttp2_option_set_max_outbound_ack API function
• nghttpx: Fix request stall

nghttp2 v1.39.1

• nghttpx: Fix bug that log-level is not set with cmd-line or configuration file
• nghttpx: Fix FPE with default backend

nghttp2 v1.39.0

• lib: Ignore content-length in 200 response to CONNECT request (GH-1347)
• third-party: Upgrade mruby to 2.0.1 (GH-1337)
• asio: support boost-1.70 (Patch from Adam Gołębiowski) (GH-1335)
• src: Replace http-parser with llhttp (GH-1340)
• nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT (GH-1347)
• nghttpx: Fix unchanged log level on configuration reload (GH-1356)