Nghttp2 Versions Save

nghttp2 - HTTP/2 C Library and tools

v1.44.0

2 years ago

lib: Port new ngtcp2 map implementation doc: Replace master with main build: Add precious variables for libev and jemalloc and use JEMALLOC_CFLAGS build: Add more --with-* configure flags build: Add LIBTOOL_LDFLAGS configure variable third-party: Bump llhttp to 6.0.2 src: Replace black-list with block-list nghttpx: Fix max distance in weight group/address cycle comparison nghttpx: Set connect_blocker and live_check after shuffling addresses nghttpx: Replace master with main nghttpx: Remove trailing white space after $method log variable (GH-1553) h2load: Add --rps option (GH-1559) h2load: Allow unit in -D option asio: fix some typos (Patch from Jan Kundrát) (GH-1550)

v1.43.0

3 years ago

doc: Make doc generation work with sphinx v3.3 (GH-1547) python: Require python3 for python bindings (GH-1548) python: Require python3 for python scripts (GH-1546) nghttpx: Make sure that Pool gets cleared when all buffers are returned (GH-1544) nghttpx: Choose ECDSA cert if compatible signature algorithm available (GH-1542) nghttpx: Add workaround to include ':' in backend pattern (GH-1537)

v1.42.0

3 years ago
  • lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
  • lib: Don't send RST_STREAM to idle stream (GH-1477)
  • lib: nghttp2_map backed by nghttp2_ksl
  • doc: Update sphinx_rtd_theme
  • doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
  • doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
  • build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
  • third-party: Bump llhttp to 2.2.0
  • third-party: Bump mruby to 2.1.2
  • nghttpx: Deal with the case when h2 backend is retired before it is initialized
  • nghttpx: Add accesslog variables to record request path without query (GH-1511)
  • nghttpx: Fix stall when TLS follows after proxy protocol
  • nghttpx: Fix logging integer

v1.41.0

3 years ago
  • Fix CVE-2020-11080
  • lib: Implement max settings option (Patch from James M Snell)
  • lib: Earlier check for settings flood (Patch from James M Snell)
  • lib: Fix receiving stream data stall (GH-1444)
  • build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418)
  • third-party: Bump llhttp to 2.0.4 (GH-1442)
  • nghttpx: Add PROXY-protocol v2 support (GH-1452)
  • nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455)
  • h2load: Allow port in --connect-to
  • h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426)

v1.40.0

4 years ago
  • lib: Add nghttp2_check_authority as public API (GH-1413)
  • lib: Fix the bug that stream is closed with wrong error code (GH-1408)
  • lib: Faster huffman encoding and decoding (GH-1405)
  • build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
  • build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
  • build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
  • third-party: Update neverbleed to fix memory leak
  • nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
  • nghttpx: Reconnect h1 backend if it lost connection before sending headers
  • nghttpx: Returns 408 if backend timed out before sending headers
  • nghttpx: Fix request stall (GH-1378)

v1.39.2

4 years ago

This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

  • Fix CVE-2019-9511 and CVE-2019-9513
  • Add nghttp2_option_set_max_outbound_ack API function
  • nghttpx: Fix request stall

v1.39.1

4 years ago
  • nghttpx: Fix bug that log-level is not set with cmd-line or configuration file
  • nghttpx: Fix FPE with default backend

v1.39.0

4 years ago
  • lib: Ignore content-length in 200 response to CONNECT request (GH-1347)
  • third-party: Upgrade mruby to 2.0.1 (GH-1337)
  • asio: support boost-1.70 (Patch from Adam Gołębiowski) (GH-1335)
  • src: Replace http-parser with llhttp (GH-1340)
  • nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT (GH-1347)
  • nghttpx: Fix unchanged log level on configuration reload (GH-1356)

v1.38.0

5 years ago
  • lib: Fix bug that on_header callback is still called after stream is closed (GH-1331)
  • third-party: Update http-parser to v2.9.1
  • nghttpx: Fix bug that altered authority and path affect backend selection (GH-1334)
  • nghttpx: Fix bug that chunked request stalls (GH-1333)
  • nghttpx: Don't log authorization request header field value with -LINFO (GH-1332)
  • nghttpx: Fix for compilation against modern LibreSSL (Patch from Jeff 'Raid' Baitis) (GH-1270)

v1.37.0

5 years ago
  • lib: Take into account larger frame size for prioritization
  • lib: Reuse name when indexing header by referencing dynamic table
  • build: Explicitly set install location when building shared libs (Patch from Don) (GH-1303)
  • nghttpx: Fix backend stall if header and request body are sent in 2 packets
  • nghttpx: Backend address selection with weight (GH-1297)
  • nghttpx: Fix compilation with boringssl (Patch from Simon Frankenberger) (GH-1295)