nghttp2 - HTTP/2 C Library and tools
lib: Port new ngtcp2 map implementation doc: Replace master with main build: Add precious variables for libev and jemalloc and use JEMALLOC_CFLAGS build: Add more --with-* configure flags build: Add LIBTOOL_LDFLAGS configure variable third-party: Bump llhttp to 6.0.2 src: Replace black-list with block-list nghttpx: Fix max distance in weight group/address cycle comparison nghttpx: Set connect_blocker and live_check after shuffling addresses nghttpx: Replace master with main nghttpx: Remove trailing white space after $method log variable (GH-1553) h2load: Add --rps option (GH-1559) h2load: Allow unit in -D option asio: fix some typos (Patch from Jan Kundrát) (GH-1550)
doc: Make doc generation work with sphinx v3.3 (GH-1547) python: Require python3 for python bindings (GH-1548) python: Require python3 for python scripts (GH-1546) nghttpx: Make sure that Pool gets cleared when all buffers are returned (GH-1544) nghttpx: Choose ECDSA cert if compatible signature algorithm available (GH-1542) nghttpx: Add workaround to include ':' in backend pattern (GH-1537)
This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.