Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: nghttp2 | Distribution: openSUSE Tumbleweed |
Version: 1.64.0 | Vendor: openSUSE |
Release: 1.1 | Build date: Tue Nov 12 11:57:02 2024 |
Group: Development/Libraries/C and C++ | Build host: reproducible |
Size: 1317663 | Source RPM: nghttp2-1.64.0-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://nghttp2.org/ | |
Summary: Implementation of Hypertext Transfer Protocol version 2 in C |
This is an implementation of Hypertext Transfer Protocol version 2. The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2. HPACK encoder and decoder are available as public API.
MIT
* Tue Nov 12 2024 pgajdos@suse.com - version update to 1.64.0 1.64.0 * Change clang-format options by @tatsuhiro-t in #2240 * build(deps): bump github.com/quic-go/quic-go from 0.46.0 to 0.47.0 by @dependabot in #2243 * build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #2244 * nghttp2_map: Port ngtcp2 changes by @tatsuhiro-t in #2245 * h2load: Fix UDP datagram send/recv metric by @tatsuhiro-t in #2248 * build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #2252 * fix race condition on h1 connection close by @TuxInvader in #2249 * Gha ubuntu 24.04 by @tatsuhiro-t in #2254 * GHA: Run tests for i686-w64-mingw32 host by @tatsuhiro-t in #2255 * cmake: Fix c-ares v1.34.0 version detection failure by @tatsuhiro-t in #2256 * fix: -Wextra-semi errors in nghttp2_helper.h by @codebytere in #2258 * clang-format macros that do not need semicolon at the end by @tatsuhiro-t in #2259 * Remove extra semicolons by @tatsuhiro-t in #2260 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2261 * Do not allow '@' in :authority or host field values by @tatsuhiro-t in #2262 * h2load: GRO buffer size should be 64KiB by @tatsuhiro-t in #2263 * Bump libbpf to v1.4.6 by @tatsuhiro-t in #2264 * Update nghttp2_check_authority doc by @tatsuhiro-t in #2265 1.63.0 * Bump libbpf to v1.4.2 by @tatsuhiro-t in #2191 * build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in #2193 * nghttpx: Fix batch UDP QUIC packet dropped on GRO read by @tatsuhiro-t in #2196 * CMakeLists.txt: allow to compile the C only lib without CXX compiler by @ThomasDevoogdt in #2200 * build(deps): bump github.com/quic-go/quic-go from 0.43.1 to 0.44.0 by @dependabot in #2197 * Fix compiler versions in readme by @ryandesign in #2203 * build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #2205 * build(deps): bump github.com/quic-go/quic-go from 0.44.0 to 0.45.0 by @dependabot in #2206 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2207 * build(deps): bump docker/build-push-action from 5 to 6 by @dependabot in #2208 * Add wolfSSL support by @tatsuhiro-t in #2209 * Append --shallow-submodules to git clone --recursive by @tatsuhiro-t in #2210 * Always append options to extra options by @tatsuhiro-t in #2211 * build(deps): bump github.com/quic-go/quic-go from 0.45.0 to 0.45.1 by @dependabot in #2213 * Disable dependency tracking by @tatsuhiro-t in #2214 * Fix Dockerfile.android build failure by @tatsuhiro-t in #2215 * Fix UDP_GRO struct cmsghdr data type by @tatsuhiro-t in #2216 * GHA: Suppress warnings by @tatsuhiro-t in #2217 * Fix levenshtein initialization by @tatsuhiro-t in #2218 * build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #2220 * Undefine NGHTTP2_NO_SSIZE_T if BUILDING_NGHTTP2 is defined by @tatsuhiro-t in #2224 * Bump clang format by @tatsuhiro-t in #2226 * Suppress old compiler error by @tatsuhiro-t in #2228 * build(deps): bump github.com/quic-go/quic-go from 0.45.1 to 0.45.2 by @dependabot in #2229 * build(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #2231 * build(deps): bump github.com/quic-go/quic-go from 0.45.2 to 0.46.0 by @dependabot in #2232 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #2236 * Bump libbpf to v1.4.5 by @tatsuhiro-t in #2237 * Update go by @tatsuhiro-t in #2238 * levenshtein: Use size_t by @tatsuhiro-t in #2239 * Mon Jun 17 2024 Dirk Müller <dmueller@suse.com> - update to 1.62.1: * nghttpx: Fix batch UDP QUIC packet dropped on GRO read - update to 1.62.0: * nghttpx: Fix QUIC stateless reset stack buffer overflow * Require c-ares >= 1.16.0 for ares_getaddrinfo * Require C++20 compiler * Adopt std::to_array and remove make_array * nghttpx: Define APIEndpoints separately * nghttpx: Do not send error/status body when method is HEAD * nghttpx: Fix alignment issues in BlockAllocator * nghttpx: Simplify parameter declaration for ipc_fd functions * nghttpx: Add extent to ipc_fd explicitly * Make make_byte_ref return std::span * Make util::decode_hex return std::span * Rewrite util::parse_uint * Let base64::decode return std::span * Refactor StringRef * Stringref refactor c str and str * Add StringRef literal operator and remove StringRef::from_lit * Make StringRef(const std::string&) implicit * Add http2::make_field family functions * Remove std::string conversion operator from StringRef * Optimize StringRef comparisons against c-string * Pack more quic pkt * nghttpx: Dynamic GSO failover * Refactor ImmutableString * nghttpx: Refactor QUIC data path * nghttpx: Fix inherited TCP port comparison * make_websocket_accept_token: Lesser conversions * Add http3::make_field family functions * Remove unnecessary namespace qualifications * Refactor http utils * Refactor streq * Remove util::streq and let StringRef operator== deal with it * Update the link for the Prefix.pdf document. fix #2178 * Introduce typed nghttp2_min and nghttp2_max - drop gcc7.patch (obsolete, we require C++20 now) * Thu Apr 04 2024 pgajdos@suse.com - version update to 1.61.0 * Fixes CVE-2024-28182 [bsc#1221399] * nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087 * Checkout with submodules by @jonaski in #2093 * Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092 * build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097 * Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098 * docker: Use copy --link by @tatsuhiro-t in #2099 * Nghttpx header idle timeout by @tatsuhiro-t in #2100 * nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101 * Rewrite hexdump by @tatsuhiro-t in #2102 * Switch to distroless/base-nossl by @tatsuhiro-t in #2103 * Bump ngtcp2 by @tatsuhiro-t in #2105 * nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106 * build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107 * autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108 * Automate release process by @tatsuhiro-t in #2109 * autotools: Switch to tar-pax by @tatsuhiro-t in #2110 * nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111 * nghttpx: Fix port byte order by @tatsuhiro-t in #2112 * h2load: Allow host header to be overridden by @tatsuhiro-t in #2113 * nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114 * nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115 * Add actions/stale by @tatsuhiro-t in #2116 * nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117 * nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119 * No rfc7540 priority fix by @tatsuhiro-t in #2120 * Further reduce Stateless reset emission by @tatsuhiro-t in #2122 * nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124 * Nghttpx faster worker lookup by @tatsuhiro-t in #2125 * nghttpx: Split thread into worker_process and thread by @tatsuhiro-t in #2126 * bpf: Drop bad QUIC packet by @tatsuhiro-t in #2127 * cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON by @jimmy-park in #2128 * nghttpx: Allocate 3 bits for QUIC configuration in Connection ID by @tatsuhiro-t in #2129 * nghttpx: Migrate to ares_getaddrinfo by @tatsuhiro-t in #2132 * Bump munit by @tatsuhiro-t in #2131 * nghttpx: Fix error message by @tatsuhiro-t in #2133 * nghttpd: Fix read stall by @tatsuhiro-t in #2134 * Wed Apr 03 2024 Adam Majer <adam.majer@suse.de> - gcc7.patch: Fix compilation for SLE-15 (jsc#PED-8206) * Mon Mar 18 2024 Martin Pluskal <mpluskal@suse.com> - Update keyring with current key * Mon Mar 18 2024 pgajdos@suse.com - version update to 1.60.0 * makerelease.sh: Speed up git submodule * Speed up git clone * build(deps): bump actions/cache from 3 to 4 * Fixing the build and install trees * build(deps): bump microsoft/setup-msbuild from 1 to 2 * nghttpx: Set ocsp response to SSL in case of boringssl * Run with python3 * src: Certificate Compression with boringssl * Fix missing newline * Switch to aws lc * Libbrotli fixup * Deprecate RFC 7540 priorities (aka stream dependencies) * Let dependabot manage go modules * build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 * integration-tests: Omit unused parameters * Munit * Introduce nghttp2_ssize API * Move deprecated warning upfront * Describe RFC 7540 priorities deprecation plan * Apps migrate nghttp2 ssize * src: Remove unused functions * Reconsider ssize t usage in src * Use GitHub private vulnerability reporting * Move security policy to GitHub standard location * Bump mruby to 3.3.0 * Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663 * h2load: Add --sni option * Bump ngtcp2 dependencies * mruby: Adopt deprecation of mrbc_ prefix * neverbleed: Define _GNU_SOURCE for pthread_setaffinity_np * bpf: Pre-expand aes key * mruby: Exclude mrdb gem which causes nghttpx to crash * nghttpx: Reuse EVP_CIPHER_CTX for QUIC connection ID encryption * Run apt-get update before install * src: Deal with the case that send_quantum < max_udp_payload_size * nghttpx: Remove SHRPX_QUIC_MAX_UDP_PAYLOAD_SIZE * Fix build when AI_NUMERICSERV is undefined - remove dependency on /usr/bin/python3 using %python3_fix_shebang_path macro, [bsc#1212476] * Sun Jan 28 2024 Dirk Müller <dmueller@suse.com> - update to 1.59.0: * Update bash_completion * h2load: Fix bug that ttfb is not recorded if h3 stream has no data * h2load: Consider all h2 HEADERS when counting bytes and recording ttfb * h2load: Ignore 1xx status code * nghttpd: Free SSL_CTX on exit * nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data * nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data * cmake: Require OpenSSL >= 1.1.1 * Add nghttp2_select_alpn and deprecate nghttp2_select_next_protocol * nghttpx: Add --alpn-list and deprecate --npn-list * h2load: Add --alpn-list and deprecate --npn-list * Remove NPN * src: Support building with aws-lc * Avoid detecting OpenSSL 3.2 as quictls * Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0 * h2load: Fix IPv6 address in :authority * h2load: Fix IPv6 address in :authority * nghttpx: Propagate stream priority from backend to frontend * nghttpx: Propagate stream priority from backend to frontend * Merge pull request #1991 from nghttp2/get-and-parse- extpri * Add API to get and parse RFC 9218 priority * nghttpx: Prefer __FILE_NAME__ if defined * Sat Nov 25 2023 Dirk Müller <dmueller@suse.com> - update to 1.58.0: * Update manual pages * Bump neverbleed * Bump ngtcp2 * Prefer clock_gettime if __CYGWIN__ defined * Do not require strict c++ mode * nghttpx: Stricter transfer-encoding checks * Refactor character comparison * Integration servertester h3 * integration: Enable http3 test with cmake * Tue Nov 21 2023 Dirk Müller <dmueller@suse.com> - fix unversioned provides to be in sync with nghttp3 * Tue Nov 07 2023 Dirk Müller <dmueller@suse.com> - add keyring for gpg validation - spec file cleanups * Mon Oct 16 2023 pgajdos@suse.com - version update to 1.57.0 [bsc#1216174] 1.57.0 * Fixes CVE-2023-44487 (bsc#1216123) * Bump ngtcp2 by @tatsuhiro-t in #1944 * Add dependabot to update actions by @tatsuhiro-t in #1946 * Bump golang.org/x/net to v0.15.0 by @tatsuhiro-t in #1950 * Bump actions/setup-go from 3 to 4 by @dependabot in #1948 * Bump actions/checkout from 3 to 4 by @dependabot in #1949 * Bump actions/upload-artifact from 1 to 3 by @dependabot in #1947 * docker: Bump base image to debian 12 by @tatsuhiro-t in #1951 * nghttpx: Header field name must be lowercase by @tatsuhiro-t in #1953 * Bump quictls by @tatsuhiro-t in #1945 * Apps fix by @tatsuhiro-t in #1957 * nghttpx: Fix bug that --single-process does not work by @tatsuhiro-t in #1958 * Fix clang-format by @tatsuhiro-t in #1959 * Rework session management by @tatsuhiro-t in #1961 1.56.0 * doc: Bump boringssl by @tatsuhiro-t in #1928 * Fix memory leak by @tatsuhiro-t in #1930 * Return void by @tatsuhiro-t in #1931 * nghttpx: Rework sending and receiving ECN bits by @tatsuhiro-t in #1934 * CMSG_DATA does not necessarily return an aligned pointer by @tatsuhiro-t in #1935 * Bump quictls by @tatsuhiro-t in #1937 * Bump ngtcp2 and its dependencies by @tatsuhiro-t in #1939 * nghttpx: Simplify std::unique_ptr get and release by @tatsuhiro-t in #1940 * Bump llhttp to 926c982942eb53a13f01c1e9e6b19bd3b196e7dd by @tatsuhiro-t in #1941 * Bump libbpf to v1.2.2 by @tatsuhiro-t in #1942 * Update Dockerfile by @tatsuhiro-t in #1943 * Sat Jul 15 2023 Dirk Müller <dmueller@suse.com> - update to 1.55.1: * Fix memory leak (bsc#1215713) This commit fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. This issue has already been made public via CVE-2023-35945 by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository [2]. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond. PoC described in [1] is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing. * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE. https://github.com/envoyproxy/envoy/security/advisories/GHSA- jfxv-29pc-x22r * Tue Jun 20 2023 Dirk Müller <dmueller@suse.com> - update to 1.54.0: * nghttpx: Consistent error handling and use of high-level API * h2load: Fix http3 upload stall * h2load: Use std::chrono::steady_clock for quic timestamp * Thu May 18 2023 Martin Pluskal <mpluskal@suse.com> - Update to version 1.53.0: * https://nghttp2.org/blog/2023/05/10/nghttp2-v1-53-0/ * Tue Mar 14 2023 Dirk Müller <dmueller@suse.com> - update to 1.52.0: * https://nghttp2.org/blog/2023/02/13/nghttp2-v1-52-0/ * sphinx_rtd_theme has been removed from the repository and archive. * The deprecated Python bindings has been removed. * The deprecated libnghttp2_asio has been removed. * llhttp and neverbleed have been updated. * This release fixes the bug that stalls TLS connection. * This release adds more http3 integration tests. - drop nghttp2-remove-python-build.patch: obsolete as the code got removed * Thu Nov 17 2022 Dirk Müller <dmueller@suse.com> - update to 1.51.0: * https://nghttp2.org/blog/2022/11/13/nghttp2-v1-51-0/ This release fixes affinity-cookie-stickiness parameter handling. * Sat Sep 24 2022 Dirk Müller <dmueller@suse.com> - update to 1.50.0: * https://nghttp2.org/blog/2022/09/21/nghttp2-v1-50-0/ This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value. * Fri Sep 23 2022 Dirk Müller <dmueller@suse.com> - disable asio by default as it is deprecated by upstream and will be removed in the next release * Mon Aug 22 2022 Dirk Müller <dmueller@suse.com> - update to 1.49.0: * https://nghttp2.org/blog/2022/08/22/nghttp2-v1-49-0/ * Mon Jul 11 2022 Dirk Müller <dmueller@suse.com> - update to 1.48.0: * lib: Allow server to override RFC 9218 stream priority * lib: Add a server option to fallback to RFC 7540 priorities * lib: Add PRIORITY_UPDATE frame support * lib: Implement RFC 9218 extensible prioritization scheme * lib: Do not verify host field specific characters for response field * lib: No rfc7540 priorities * lib: Fix stream stall when initial window size is decreased * doc: Document how to change stream prioritization scheme * build: Compile with libressl 3.5 * build: EXTRA_DIST: List mruby files explicitly * build: Bump ngtcp2 and nghttp3 * build: Do not check application libraries if --enable-lib-only is given * src: Update default TLS cipher suites * nghttpx, h2load: Better pack UDP packets in one GSO write * nghttpx, h2load: Quic error handling * nghttpx, h2load: Fix QUIC performance regression * nghttp, nghttpd, nghttpx: Add ktls support * h2load: Send more packets without GSO per event loop * h2load: Add ktls support * nghttpd: Fix TLS read stall * nghttpx: Disable RFC 7540 priorities * nghttpx: Client always uses simpler TLS handshake * nghttpx: Add affinity-cookie-stickiness backend parameter * nghttpx: Fix broken session affinity * nghttpx: Limit CONNECTION_CLOSE and Retry under server amplification limit * integration: Go update * integration: Add go.mod * third-party: Bump llhttp to 75b45129db961e1fb3c56044e1b8f7721bfaee5d * third-party: Bump libbpf to v0.8.0 * third-party: Bump mruby to 3.1.0 * third-party: Bump neverbleed based on the latest head (GH-1708) * Sun Mar 20 2022 Dirk Müller <dmueller@suse.com> - update to 1.47.0: * see https://nghttp2.org/blog/2022/02/23/nghttp2-v1-47-0/ * Sat Dec 18 2021 Dirk Müller <dmueller@suse.com> - update to 1.46.0: * see https://nghttp2.org/blog/2021/07/18/nghttp2-v1-44-0/ * see https://nghttp2.org/blog/2021/09/20/nghttp2-v1-45-0/ * see https://nghttp2.org/blog/2021/10/19/nghttp2-v1-46-0/ * Thu Feb 04 2021 Dirk Müller <dmueller@suse.com> - update to 1.43.0: * doc: Make doc generation work with sphinx v3.3 * python: Require python3 for python bindings * python: Require python3 for python scripts * nghttpx: Make sure that Pool gets cleared when all buffers are returned * nghttpx: Choose ECDSA cert if compatible signature algorithm available * nghttpx: Add workaround to include ':' in backend pattern * Wed Jan 06 2021 Dirk Müller <dmueller@suse.com> - update to 1.42.0: * lib: fix ubsan errors (Patch from Asra Ali) (GH-1468) * lib: Don't send RST_STREAM to idle stream (GH-1477) * lib: nghttp2_map backed by nghttp2_ksl * doc: Update sphinx_rtd_theme * doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489) * doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488) * build: Add missing cmake/FindSystemd.cmake to dist (GH-1526) * third-party: Bump llhttp to 2.2.0 * third-party: Bump mruby to 2.1.2 * nghttpx: Deal with the case when h2 backend is retired before it is initialized * nghttpx: Add accesslog variables to record request path without query (GH-1511) * nghttpx: Fix stall when TLS follows after proxy protocol * nghttpx: Fix logging integer
/usr/bin/deflatehd /usr/bin/h2load /usr/bin/inflatehd /usr/bin/nghttp /usr/bin/nghttpd /usr/bin/nghttpx /usr/share/nghttp2 /usr/share/nghttp2/fetch-ocsp-response
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Nov 26 00:16:56 2024