Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: nghttp2 | Distribution: openSUSE:Factory:zSystems |
Version: 1.58.0 | Vendor: openSUSE |
Release: 1.1 | Build date: Mon Nov 27 22:52:38 2023 |
Group: Development/Libraries/C and C++ | Build host: s390zl22 |
Size: 1609440 | Source RPM: nghttp2-1.58.0-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://nghttp2.org/ | |
Summary: Implementation of Hypertext Transfer Protocol version 2 in C |
This is an implementation of Hypertext Transfer Protocol version 2. The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2. HPACK encoder and decoder are available as public API.
MIT
* Sat Nov 25 2023 Dirk Müller <dmueller@suse.com> - update to 1.58.0: * Update manual pages * Bump neverbleed * Bump ngtcp2 * Prefer clock_gettime if __CYGWIN__ defined * Do not require strict c++ mode * nghttpx: Stricter transfer-encoding checks * Refactor character comparison * Integration servertester h3 * integration: Enable http3 test with cmake * Tue Nov 21 2023 Dirk Müller <dmueller@suse.com> - fix unversioned provides to be in sync with nghttp3 * Tue Nov 07 2023 Dirk Müller <dmueller@suse.com> - add keyring for gpg validation - spec file cleanups * Mon Oct 16 2023 pgajdos@suse.com - version update to 1.57.0 [bsc#1216174] 1.57.0 * Fixes CVE-2023-44487 * Bump ngtcp2 by @tatsuhiro-t in #1944 * Add dependabot to update actions by @tatsuhiro-t in #1946 * Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950 * Bump actions/setup-go from 3 to 4 by @dependabot in #1948 * Bump actions/checkout from 3 to 4 by @dependabot in #1949 * Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947 * docker: Bump base image to debian 12 by @tatsuhiro-t in #1951 * nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953 * Bump quictls by @tatsuhiro-t in #1945 * Apps fix by @tatsuhiro-t in #1957 * nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958 * Fix clang-format by @tatsuhiro-t in #1959 * Rework session management by @tatsuhiro-t in #1961 1.56.0 * doc: Bump boringssl by @tatsuhiro-t in #1928 * Fix memory leak by @tatsuhiro-t in #1930 * Return void by @tatsuhiro-t in #1931 * nghttpx: Rework sending and receiving ECN bits by @tatsuhiro-t in #1934 * CMSG_DATA does not necessarily return an aligned pointer by @tatsuhiro-t in #1935 * Bump quictls by @tatsuhiro-t in #1937 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #1939 * nghttpx: Simplify std::unique_ptr get and release by @tatsuhiro-t in #1940 * Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by @tatsuhiro-t in #1941 * Bump libbpf to v1.2.2 by @tatsuhiro-t in #1942 * Update Dockerfile by @tatsuhiro-t in #1943 * Sat Jul 15 2023 Dirk Müller <dmueller@suse.com> - update to 1.55.1: * Fix memory leak This commit fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. This issue has already been made public via CVE-2023-35945 by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository [2]. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond. PoC described in [1] is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing. * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE. https://github.com/envoyproxy/envoy/security/advisories/GHSA- jfxv-29pc-x22r * Tue Jun 20 2023 Dirk Müller <dmueller@suse.com> - update to 1.54.0: * nghttpx: Consistent error handling and use of high-level API * h2load: Fix http3 upload stall * h2load: Use std::chrono::steady_clock for quic timestamp * Thu May 18 2023 Martin Pluskal <mpluskal@suse.com> - Update to version 1.53.0: * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/ * Tue Mar 14 2023 Dirk Müller <dmueller@suse.com> - update to 1.52.0: * https://nghttp2.org/blog/2023/02/13/nghttp2-v1-52-0/ * sphinx_rtd_theme has been removed from the repository and archive. * The deprecated Python bindings has been removed. * The deprecated libnghttp2_asio has been removed. * llhttp and neverbleed have been updated. * This release fixes the bug that stalls TLS connection. * This release adds more http3 integration tests. - drop nghttp2-remove-python-build.patch: obsolete as the code got removed * Thu Nov 17 2022 Dirk Müller <dmueller@suse.com> - update to 1.51.0: * https://nghttp2.org/blog/2022/11/13/nghttp2-v1-51-0/ This release fixes affinity-cookie-stickiness parameter handling. * Sat Sep 24 2022 Dirk Müller <dmueller@suse.com> - update to 1.50.0: * https://nghttp2.org/blog/2022/09/21/nghttp2-v1-50-0/ This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value. * Fri Sep 23 2022 Dirk Müller <dmueller@suse.com> - disable asio by default as it is deprecated by upstream and will be removed in the next release * Mon Aug 22 2022 Dirk Müller <dmueller@suse.com> - update to 1.49.0: * https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/ * Mon Jul 11 2022 Dirk Müller <dmueller@suse.com> - update to 1.48.0: * lib: Allow server to override RFC 9218 stream priority * lib: Add a server option to fallback to RFC 7540 priorities * lib: Add PRIORITY_UPDATE frame support * lib: Implement RFC 9218 extensible prioritization scheme * lib: Do not verify host field specific characters for response field * lib: No rfc7540 priorities * lib: Fix stream stall when initial window size is decreased * doc: Document how to change stream prioritization scheme * build: Compile with libressl 3.5 * build: EXTRA_DIST: List mruby files explicitly * build: Bump ngtcp2 and nghttp3 * build: Do not check application libraries if --enable-lib-only is given * src: Update default TLS cipher suites * nghttpx, h2load: Better pack UDP packets in one GSO write * nghttpx, h2load: Quic error handling * nghttpx, h2load: Fix QUIC performance regression * nghttp, nghttpd, nghttpx: Add ktls support * h2load: Send more packets without GSO per event loop * h2load: Add ktls support * nghttpd: Fix TLS read stall * nghttpx: Disable RFC 7540 priorities * nghttpx: Client always uses simpler TLS handshake * nghttpx: Add affinity-cookie-stickiness backend parameter * nghttpx: Fix broken session affinity * nghttpx: Limit CONNECTION_CLOSE and Retry under server amplification limit * integration: Go update * integration: Add go.mod * third-party: Bump llhttp to 75b45129db961e1fb3c56044e1b8f7721bfaee5d * third-party: Bump libbpf to v0.8.0 * third-party: Bump mruby to 3.1.0 * third-party: Bump neverbleed based on the latest head (GH-1708) * Sun Mar 20 2022 Dirk Müller <dmueller@suse.com> - update to 1.47.0: * see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/ * Sat Dec 18 2021 Dirk Müller <dmueller@suse.com> - update to 1.46.0: * see https://nghttp2.org/blog/2021/07/18/nghttp2-v1-44-0/ * see https://nghttp2.org/blog/2021/09/20/nghttp2-v1-45-0/ * see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/ * Thu Feb 04 2021 Dirk Müller <dmueller@suse.com> - update to 1.43.0: * doc: Make doc generation work with sphinx v3.3 * python: Require python3 for python bindings * python: Require python3 for python scripts * nghttpx: Make sure that Pool gets cleared when all buffers are returned * nghttpx: Choose ECDSA cert if compatible signature algorithm available * nghttpx: Add workaround to include ':' in backend pattern * Wed Jan 06 2021 Dirk Müller <dmueller@suse.com> - update to 1.42.0: * lib: fix ubsan errors (Patch from Asra Ali) (GH-1468) * lib: Don't send RST_STREAM to idle stream (GH-1477) * lib: nghttp2_map backed by nghttp2_ksl * doc: Update sphinx_rtd_theme * doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489) * doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488) * build: Add missing cmake/FindSystemd.cmake to dist (GH-1526) * third-party: Bump llhttp to 2.2.0 * third-party: Bump mruby to 2.1.2 * nghttpx: Deal with the case when h2 backend is retired before it is initialized * nghttpx: Add accesslog variables to record request path without query (GH-1511) * nghttpx: Fix stall when TLS follows after proxy protocol * nghttpx: Fix logging integer * Wed Jun 03 2020 Paolo Stivanin <info@paolostivanin.com> - Update to 1.41.0 * Fix CVE-2020-11080 * lib: Implement max settings option (Patch from James M Snell) * lib: Earlier check for settings flood (Patch from James M Snell) * lib: Fix receiving stream data stall (GH-1444) * build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418) * third-party: Bump llhttp to 2.0.4 (GH-1442) * nghttpx: Add PROXY-protocol v2 support (GH-1452) * nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455) * h2load: Allow port in --connect-to * h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426) * Tue Jan 14 2020 Michał Rostecki <mrostecki@opensuse.org> - Update to version 1.40.0 * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal
/usr/bin/deflatehd /usr/bin/h2load /usr/bin/inflatehd /usr/bin/nghttp /usr/bin/nghttpd /usr/bin/nghttpx /usr/share/nghttp2 /usr/share/nghttp2/fetch-ocsp-response
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Mar 9 12:50:11 2024