Changelog for
nghttp2-debugsource-1.61.0-1.1.11.1.x86_64.rpm :
* Thu Apr 04 2024 pgajdosAATTsuse.com- version update to 1.61.0
* Fixes CVE-2024-28182 [bsc#1221399]
* nghttpx: Shutdown h3 stream read with trailer as well by AATTtatsuhiro-t in #2087
* Checkout with submodules by AATTjonaski in #2093
* Respect BUILD_STATIC_LIBS and add option for tests by AATTjonaski in #2092
* build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by AATTdependabot in #2097
* Workaround llvm issue on github ubuntu runner by AATTtatsuhiro-t in #2098
* docker: Use copy --link by AATTtatsuhiro-t in #2099
* Nghttpx header idle timeout by AATTtatsuhiro-t in #2100
* nghttpx: Fix frontend-header-timeout does not work in config file by AATTtatsuhiro-t in #2101
* Rewrite hexdump by AATTtatsuhiro-t in #2102
* Switch to distroless/base-nossl by AATTtatsuhiro-t in #2103
* Bump ngtcp2 by AATTtatsuhiro-t in #2105
* nghttpx: Simplify quic connection close handling by AATTtatsuhiro-t in #2106
* build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by AATTdependabot in #2107
* autotools: Use tar-ustar automake option by AATTtatsuhiro-t in #2108
* Automate release process by AATTtatsuhiro-t in #2109
* autotools: Switch to tar-pax by AATTtatsuhiro-t in #2110
* nghttpx: Drop a UDP datagram from well-known port by AATTtatsuhiro-t in #2111
* nghttpx: Fix port byte order by AATTtatsuhiro-t in #2112
* h2load: Allow host header to be overridden by AATTtatsuhiro-t in #2113
* nghttpx: Rework QUIC stateless reset packet size by AATTtatsuhiro-t in #2114
* nghttpx: More QUIC prohibited ports by AATTtatsuhiro-t in #2115
* Add actions/stale by AATTtatsuhiro-t in #2116
* nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by AATTtatsuhiro-t in #2117
* nghttp: Support SSLKEYLOGFILE by AATTtatsuhiro-t in #2119
* No rfc7540 priority fix by AATTtatsuhiro-t in #2120
* Further reduce Stateless reset emission by AATTtatsuhiro-t in #2122
* nghttpx: Rework Connection ID construction by AATTtatsuhiro-t in #2124
* Nghttpx faster worker lookup by AATTtatsuhiro-t in #2125
* nghttpx: Split thread into worker_process and thread by AATTtatsuhiro-t in #2126
* bpf: Drop bad QUIC packet by AATTtatsuhiro-t in #2127
* cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON by AATTjimmy-park in #2128
* nghttpx: Allocate 3 bits for QUIC configuration in Connection ID by AATTtatsuhiro-t in #2129
* nghttpx: Migrate to ares_getaddrinfo by AATTtatsuhiro-t in #2132
* Bump munit by AATTtatsuhiro-t in #2131
* nghttpx: Fix error message by AATTtatsuhiro-t in #2133
* nghttpd: Fix read stall by AATTtatsuhiro-t in #2134
* Wed Apr 03 2024 Adam Majer
- gcc7.patch: Fix compilation for SLE-15 (jsc#PED-8206)
* Mon Mar 18 2024 Martin Pluskal - Update keyring with current key
* Mon Mar 18 2024 pgajdosAATTsuse.com- version update to 1.60.0
* makerelease.sh: Speed up git submodule
* Speed up git clone
* build(deps): bump actions/cache from 3 to 4
* Fixing the build and install trees
* build(deps): bump microsoft/setup-msbuild from 1 to 2
* nghttpx: Set ocsp response to SSL in case of boringssl
* Run with python3
* src: Certificate Compression with boringssl
* Fix missing newline
* Switch to aws lc
* Libbrotli fixup
* Deprecate RFC 7540 priorities (aka stream dependencies)
* Let dependabot manage go modules
* build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
* integration-tests: Omit unused parameters
* Munit
* Introduce nghttp2_ssize API
* Move deprecated warning upfront
* Describe RFC 7540 priorities deprecation plan
* Apps migrate nghttp2 ssize
* src: Remove unused functions
* Reconsider ssize t usage in src
* Use GitHub private vulnerability reporting
* Move security policy to GitHub standard location
* Bump mruby to 3.3.0
* Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663
* h2load: Add --sni option
* Bump ngtcp2 dependencies
* mruby: Adopt deprecation of mrbc_ prefix
* neverbleed: Define _GNU_SOURCE for pthread_setaffinity_np
* bpf: Pre-expand aes key
* mruby: Exclude mrdb gem which causes nghttpx to crash
* nghttpx: Reuse EVP_CIPHER_CTX for QUIC connection ID encryption
* Run apt-get update before install
* src: Deal with the case that send_quantum < max_udp_payload_size
* nghttpx: Remove SHRPX_QUIC_MAX_UDP_PAYLOAD_SIZE
* Fix build when AI_NUMERICSERV is undefined- remove dependency on /usr/bin/python3 using %python3_fix_shebang_path macro, [bsc#1212476]
* Sun Jan 28 2024 Dirk Müller - update to 1.59.0:
* Update bash_completion
* h2load: Fix bug that ttfb is not recorded if h3 stream has no data
* h2load: Consider all h2 HEADERS when counting bytes and recording ttfb
* h2load: Ignore 1xx status code
* nghttpd: Free SSL_CTX on exit
* nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
* nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data
* cmake: Require OpenSSL >= 1.1.1
* Add nghttp2_select_alpn and deprecate nghttp2_select_next_protocol
* nghttpx: Add --alpn-list and deprecate --npn-list
* h2load: Add --alpn-list and deprecate --npn-list
* Remove NPN
* src: Support building with aws-lc
* Avoid detecting OpenSSL 3.2 as quictls
* Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0
* h2load: Fix IPv6 address in :authority
* h2load: Fix IPv6 address in :authority
* nghttpx: Propagate stream priority from backend to frontend
* nghttpx: Propagate stream priority from backend to frontend
* Merge pull request #1991 from nghttp2/get-and-parse- extpri
* Add API to get and parse RFC 9218 priority
* nghttpx: Prefer __FILE_NAME__ if defined
* Sat Nov 25 2023 Dirk Müller - update to 1.58.0:
* Update manual pages
* Bump neverbleed
* Bump ngtcp2
* Prefer clock_gettime if __CYGWIN__ defined
* Do not require strict c++ mode
* nghttpx: Stricter transfer-encoding checks
* Refactor character comparison
* Integration servertester h3
* integration: Enable http3 test with cmake
* Tue Nov 21 2023 Dirk Müller - fix unversioned provides to be in sync with nghttp3
* Tue Nov 07 2023 Dirk Müller - add keyring for gpg validation- spec file cleanups
* Mon Oct 16 2023 pgajdosAATTsuse.com- version update to 1.57.0 [bsc#1216174] 1.57.0
* Fixes CVE-2023-44487
* Bump ngtcp2 by AATTtatsuhiro-t in #1944
* Add dependabot to update actions by AATTtatsuhiro-t in #1946
* Bump golang.org/x/net to v0.15.0 by AATTtatsuhiro-t in #1950
* Bump actions/setup-go from 3 to 4 by AATTdependabot in #1948
* Bump actions/checkout from 3 to 4 by AATTdependabot in #1949
* Bump actions/upload-artifact from 1 to 3 by AATTdependabot in #1947
* docker: Bump base image to debian 12 by AATTtatsuhiro-t in #1951
* nghttpx: Header field name must be lowercase by AATTtatsuhiro-t in #1953
* Bump quictls by AATTtatsuhiro-t in #1945
* Apps fix by AATTtatsuhiro-t in #1957
* nghttpx: Fix bug that --single-process does not work by AATTtatsuhiro-t in #1958
* Fix clang-format by AATTtatsuhiro-t in #1959
* Rework session management by AATTtatsuhiro-t in #1961 1.56.0
* doc: Bump boringssl by AATTtatsuhiro-t in #1928
* Fix memory leak by AATTtatsuhiro-t in #1930
* Return void by AATTtatsuhiro-t in #1931
* nghttpx: Rework sending and receiving ECN bits by AATTtatsuhiro-t in #1934
* CMSG_DATA does not necessarily return an aligned pointer by AATTtatsuhiro-t in #1935
* Bump quictls by AATTtatsuhiro-t in #1937
* Bump ngtcp2 and its dependencies by AATTtatsuhiro-t in #1939
* nghttpx: Simplify std::unique_ptr get and release by AATTtatsuhiro-t in #1940
* Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by AATTtatsuhiro-t in #1941
* Bump libbpf to v1.2.2 by AATTtatsuhiro-t in #1942
* Update Dockerfile by AATTtatsuhiro-t in #1943
* Sat Jul 15 2023 Dirk Müller - update to 1.55.1:
* Fix memory leak This commit fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. This issue has already been made public via CVE-2023-35945 by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository [2]. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond. PoC described in [1] is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing.
* NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE. https://github.com/envoyproxy/envoy/security/advisories/GHSA- jfxv-29pc-x22r
* Tue Jun 20 2023 Dirk Müller - update to 1.54.0:
* nghttpx: Consistent error handling and use of high-level API
* h2load: Fix http3 upload stall
* h2load: Use std::chrono::steady_clock for quic timestamp
* Thu May 18 2023 Martin Pluskal - Update to version 1.53.0:
* https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/
* Tue Mar 14 2023 Dirk Müller - update to 1.52.0:
* https://nghttp2.org/blog/2023/02/13/nghttp2-v1-52-0/
* sphinx_rtd_theme has been removed from the repository and archive.
* The deprecated Python bindings has been removed.
* The deprecated libnghttp2_asio has been removed.
* llhttp and neverbleed have been updated.
* This release fixes the bug that stalls TLS connection.
* This release adds more http3 integration tests.- drop nghttp2-remove-python-build.patch: obsolete as the code got removed
* Thu Nov 17 2022 Dirk Müller - update to 1.51.0:
* https://nghttp2.org/blog/2022/11/13/nghttp2-v1-51-0/ This release fixes affinity-cookie-stickiness parameter handling.
* Sat Sep 24 2022 Dirk Müller - update to 1.50.0:
* https://nghttp2.org/blog/2022/09/21/nghttp2-v1-50-0/ This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value.
* Fri Sep 23 2022 Dirk Müller - disable asio by default as it is deprecated by upstream and will be removed in the next release
* Mon Aug 22 2022 Dirk Müller - update to 1.49.0:
* https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/
* Mon Jul 11 2022 Dirk Müller - update to 1.48.0:
* lib: Allow server to override RFC 9218 stream priority
* lib: Add a server option to fallback to RFC 7540 priorities
* lib: Add PRIORITY_UPDATE frame support
* lib: Implement RFC 9218 extensible prioritization scheme
* lib: Do not verify host field specific characters for response field
* lib: No rfc7540 priorities
* lib: Fix stream stall when initial window size is decreased
* doc: Document how to change stream prioritization scheme
* build: Compile with libressl 3.5
* build: EXTRA_DIST: List mruby files explicitly
* build: Bump ngtcp2 and nghttp3
* build: Do not check application libraries if --enable-lib-only is given
* src: Update default TLS cipher suites
* nghttpx, h2load: Better pack UDP packets in one GSO write
* nghttpx, h2load: Quic error handling
* nghttpx, h2load: Fix QUIC performance regression
* nghttp, nghttpd, nghttpx: Add ktls support
* h2load: Send more packets without GSO per event loop
* h2load: Add ktls support
* nghttpd: Fix TLS read stall
* nghttpx: Disable RFC 7540 priorities
* nghttpx: Client always uses simpler TLS handshake
* nghttpx: Add affinity-cookie-stickiness backend parameter
* nghttpx: Fix broken session affinity
* nghttpx: Limit CONNECTION_CLOSE and Retry under server amplification limit
* integration: Go update
* integration: Add go.mod
* third-party: Bump llhttp to 75b45129db961e1fb3c56044e1b8f7721bfaee5d
* third-party: Bump libbpf to v0.8.0
* third-party: Bump mruby to 3.1.0
* third-party: Bump neverbleed based on the latest head (GH-1708)
* Sun Mar 20 2022 Dirk Müller - update to 1.47.0:
* see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/
* Sat Dec 18 2021 Dirk Müller - update to 1.46.0:
* see https://nghttp2.org/blog/2021/07/18/nghttp2-v1-44-0/
* see https://nghttp2.org/blog/2021/09/20/nghttp2-v1-45-0/
* see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/
* Thu Feb 04 2021 Dirk Müller - update to 1.43.0:
* doc: Make doc generation work with sphinx v3.3
* python: Require python3 for python bindings
* python: Require python3 for python scripts
* nghttpx: Make sure that Pool gets cleared when all buffers are returned
* nghttpx: Choose ECDSA cert if compatible signature algorithm available
* nghttpx: Add workaround to include \':\' in backend pattern
* Wed Jan 06 2021 Dirk Müller - update to 1.42.0:
* lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
* lib: Don\'t send RST_STREAM to idle stream (GH-1477)
* lib: nghttp2_map backed by nghttp2_ksl
* doc: Update sphinx_rtd_theme
* doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
* doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
* build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
* third-party: Bump llhttp to 2.2.0
* third-party: Bump mruby to 2.1.2
* nghttpx: Deal with the case when h2 backend is retired before it is initialized
* nghttpx: Add accesslog variables to record request path without query (GH-1511)
* nghttpx: Fix stall when TLS follows after proxy protocol
* nghttpx: Fix logging integer