Releases: nghttp2/nghttp2
nghttp2 v1.45.1
- build: Fix compile error with libressl
- build: Always include optional files to EXTRA_DIST
- build: Add missing cmake files to EXTRA_DIST
nghttp2 v1.45.0
- lib: Stricter checks for pseudo-headers :method and :path (Patch from Michael Kaufmann) (GH-1613)
- doc: Rename sphinxcontrib to rubydomain to avoid module loading error
- doc: Allow SPHINXBUILD to be overridden by environment variable
- doc: Fix reference to non-existing nghttp2_option_set_max_send_header_block_size() in comment (Patch from Amir Livneh) (GH-1610)
- doc: update document for nghttp2_session_mem_recv (Patch from Jacky_Yin) (GH-1603)
- build: Build with OpenSSL v3.0.0
- build: Fix cmake Systemd warning
- nghttpx: Check that HTTP response message finished safely
- nghttpx: Use secure random to create websocket nonce
- nghttpx: Fix heap-use-after-free on initialization failure
- nghttpx: Add experimental HTTP/3 support
- nghttpx: Add "dnf" (= "do not forward") parameter to backend option (GH-1607)
- h2load: Add qlog output support (Patch from Hajime Fujita) (GH-1569)
- h2load: Add SSLKEYLOGFILE support (Patch from Lucas Pardue) (GH-1399)
- h2load: Add experimental HTTP/3 support
- nghttpd: Fix prototype mismatch for function 'file_read_callback' (Patch from lhuang04) (GH-1602)
nghttp2 v1.44.0
lib: Port new ngtcp2 map implementation
doc: Replace master with main
build: Add precious variables for libev and jemalloc and use JEMALLOC_CFLAGS
build: Add more --with-* configure flags
build: Add LIBTOOL_LDFLAGS configure variable
third-party: Bump llhttp to 6.0.2
src: Replace black-list with block-list
nghttpx: Fix max distance in weight group/address cycle comparison
nghttpx: Set connect_blocker and live_check after shuffling addresses
nghttpx: Replace master with main
nghttpx: Remove trailing white space after $method log variable (GH-1553)
h2load: Add --rps option (GH-1559)
h2load: Allow unit in -D option
asio: fix some typos (Patch from Jan Kundrát) (GH-1550)
nghttp2 v1.43.0
doc: Make doc generation work with sphinx v3.3 (GH-1547)
python: Require python3 for python bindings (GH-1548)
python: Require python3 for python scripts (GH-1546)
nghttpx: Make sure that Pool gets cleared when all buffers are returned (GH-1544)
nghttpx: Choose ECDSA cert if compatible signature algorithm available (GH-1542)
nghttpx: Add workaround to include ':' in backend pattern (GH-1537)
nghttp2 v1.42.0
- lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
- lib: Don't send RST_STREAM to idle stream (GH-1477)
- lib: nghttp2_map backed by nghttp2_ksl
- doc: Update sphinx_rtd_theme
- doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
- doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
- build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
- third-party: Bump llhttp to 2.2.0
- third-party: Bump mruby to 2.1.2
- nghttpx: Deal with the case when h2 backend is retired before it is initialized
- nghttpx: Add accesslog variables to record request path without query (GH-1511)
- nghttpx: Fix stall when TLS follows after proxy protocol
- nghttpx: Fix logging integer
nghttp2 v1.41.0
- Fix CVE-2020-11080
- lib: Implement max settings option (Patch from James M Snell)
- lib: Earlier check for settings flood (Patch from James M Snell)
- lib: Fix receiving stream data stall (GH-1444)
- build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418)
- third-party: Bump llhttp to 2.0.4 (GH-1442)
- nghttpx: Add PROXY-protocol v2 support (GH-1452)
- nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455)
- h2load: Allow port in --connect-to
- h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426)
nghttp2 v1.40.0
- lib: Add nghttp2_check_authority as public API (GH-1413)
- lib: Fix the bug that stream is closed with wrong error code (GH-1408)
- lib: Faster huffman encoding and decoding (GH-1405)
- build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
- build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
- build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
- third-party: Update neverbleed to fix memory leak
- nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
- nghttpx: Reconnect h1 backend if it lost connection before sending headers
- nghttpx: Returns 408 if backend timed out before sending headers
- nghttpx: Fix request stall (GH-1378)
nghttp2 v1.39.2
This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.
- Fix CVE-2019-9511 and CVE-2019-9513
- Add nghttp2_option_set_max_outbound_ack API function
- nghttpx: Fix request stall
nghttp2 v1.39.1
- nghttpx: Fix bug that log-level is not set with cmd-line or configuration file
- nghttpx: Fix FPE with default backend
nghttp2 v1.39.0
- lib: Ignore content-length in 200 response to CONNECT request (GH-1347)
- third-party: Upgrade mruby to 2.0.1 (GH-1337)
- asio: support boost-1.70 (Patch from Adam Gołębiowski) (GH-1335)
- src: Replace http-parser with llhttp (GH-1340)
- nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT (GH-1347)
- nghttpx: Fix unchanged log level on configuration reload (GH-1356)