Skip to content

Releases: h2o/h2o

H2O version 2.3.0-beta2

13 Aug 17:08
Choose a tag to compare

This is the beta release of the 2.3 series with following changes from 2.3.0-beta1, including one vulnerability fix.

  • [security fix][http2] fix HTTP/2 DoS attack vectors CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090 (Kazuho Oku)
  • [access-log] add support for logging to unix sockets #1746 (Frederik Deweerdt)
  • [access-log][proxy] rename key names of proxy timings #2082 (Ichito Nagata)
  • [file] add if-range header support #1751 (Lingmo Zhu)
  • [compress] extend x-compress-hint to be able to force either gzip or br compression #1808 (Frederik Deweerdt)
  • [compress][brotli] ensure there's a minimal good buffer size #1824 (Frederik Deweerdt)
  • [core] server timing tiny improvements #1818 (Ichito Nagata)
  • [core] flexible timeouts #1840 (Kazuho Oku)
  • [core] stop applying filters multiple times #1891 (Ichito Nagata)
  • [core] remove redundancy in how token index is determined #1903 (Kazuho Oku)
  • [core] use ALPN_ENTRY uniformly. #1987 (Masanori Ogino)
  • [core] allow to specify a list of CPUs to bind H2O to #2017 (Frederik Deweerdt)
  • [doc] fix for ssl_setup function in some libh2o examples #1802 (Byoungwoo Song)
  • [doc] improve documentation about extension property #2047 (Martin Michel)
  • [http1][http2] fix broken trailers issue #1798 (Ichito Nagata)
  • [http1] move chunked encoding code to http1 protocol handler #1819 (Ichito Nagata)
  • [http1] fix broken memory problem on keepalived connection #1823 (Ichito Nagata)
  • [http1] update picohttpparser and reject multiline headers #1933 (Ichito Nagata)
  • [http1] HTTP/1: handle the absolute url form #1941 (Frederik Deweerdt)
  • [http1] streaming request bodies #2007 (Frederik Deweerdt)
  • [http1] optional H1 behavior to forward connection closure #2015 (Toru Maesaka)
  • [http2] ORIGIN frame #1199 (Frederik Deweerdt)
  • [http2] http2client #1549 (Ichito Nagata)
  • [http2] http2-allow-cross-origin-push #1801 (Frederik Deweerdt)
  • [http2] :path pseudo header field cannot be empty #1822 (Ichito Nagata)
  • [http2] expose HPACK primitives #1845 (Kazuho Oku)
  • [http2] http2client #1549 (Ichito Nagata)
  • [http2] nitpicks in the HTTP2 response header parsing #1868 (Kazuho Oku)
  • [http2] forward content-length from upstream #1875 (Ichito Nagata)
  • [http2] don't push a path if a connection is closing. #1902 (Frederik Deweerdt)
  • [http2] don't call h2o_http2_conn_request_write from emit_writereq_of_openref (Frederik Deweerdt)
  • [http2] retain prioritization information for closed streams #1924 (Frederik Deweerdt)
  • [http2] HTTP/2 priorities fixes #1934 (Frederik Deweerdt)
  • [http2] fix failed assertion in update_stream_output_window #1951 (Frederik Deweerdt)
  • [http2] make sure the connection is registered with the stream before calling on_connect #1979 (Frederik Deweerdt)
  • [http2] h2o_http2_conn_unregister_stream assert on shutdown #2000 (Frederik Deweerdt)
  • [mime] update mimemap for .deb, .dll, .exe, .rar, .udeb and .zst. #1985 (Masanori Ogino)
  • [mime] support for USDZ MIME type for iOS 12 Safari #1861 (Kenta Moriuchi)
  • [mime] add MIME types for 3D models (GeoJSON, glTF) (Kenta Moriuchi)
  • [mruby] send early hints from mruby #1767 (Ichito Nagata)
  • [mruby] update mruby to 1.4.1 as well as the mrbgems #1778 (Kazuho Oku)
  • [mruby] use mrb_data_get_ptr to handle irregular cases in ruby layer #1794 (Ichito Nagata)
  • [mruby] prometheus middleware #1892 (Ichito Nagata)
  • [mruby] fix an invalid memory access by an mruby middleware #1945 (Toru Maesaka)
  • [mruby] fix heap-use-after-free bug of http_request #1975 (Ichito Nagata)
  • [mruby] fix invalid read on the stack #2003 (Frederik Deweerdt)
  • [proxy] forward broken chunk encoding to clients when upstream closes before sending anything #2070 (Frederik Deweerdt)
  • [ssl] check more errors returned by libcrypto #1797 (Kazuho Oku)
  • [ssl] more ssl stats #1837 (Ichito Nagata)
  • [ssl] support TLS 1.3 final #1844 (Kazuho Oku)
  • [ssl] send TLS alert on handshake failure when recent versions of OpenSSL is used #1872 (Kazuho Oku)
  • [ssl] use openssl crypto for the key exchange #1870 (Frederik Deweerdt)
  • [ssl] handle KeyUpdate #1882 (Kazuho Oku)
  • [ssl] fix session resumption (client-side) when used with OpenSSL 1.1.1 #2088 (Roberto Guimaraes)
  • [status] avoid redundant registration of status handlers #1815 (Kazuho Oku)
  • [libh2o] fix broken trailers issue #1798 (Ichito Nagata)
  • [libh2o] add header flags #1832 (Ichito Nagata)
  • [libh2o] client protocol abstraction #1855 (Kazuho Oku)
  • [libh2o] add an API to get the underlying socket from an httpclient #1957 (Toru Maesaka)
  • [libh2o] add application/xml to the is_compressible mime types #2016 (Uwe Trenkner)
  • [libh2o] fix issue in 'h2o_perror' about 'strerror_r' #2022 (Baodong Chen)
  • [libh2o] fix prototype for 'h2o_fatal' and replace 'abort(3)' with it #2020 (Baodong Chen)
  • [libh2o] install httpclient as part of h2o #2027 (Kazuho Oku)
  • [libh2o] add an h2o_now_nanosec() func to the Event Loop API #2053 (Toru Maesaka)
  • [libh2o] socket: Add h2o_socket_get_ssl_server_name() #2054 (Remi Gacogne)
  • [libh2o] keep track of mmap failures #2065 (Toru Maesaka)
  • [libh2o] split up the buffer reservation API #2031 (Toru Maesaka)
  • [libh2o] don't store the socket in the socket pool when unnecessary #2073 (Frederik Deweerdt)
  • [libh2o] expose bytes_written from httpclient #2080 (Ichito Nagata)
  • [libh2o] implement H2O_MULTITHREAD_ONCE #2086 (Kazuho Oku)
  • [misc] fix leased socket counting in socketpool #1750 (Lingmo Zhu)
  • [misc] knob to tune disk-based memory allocation threshold #1820 (Ricardo Nabinger Sanchez)
  • [misc] fuzzer target fix for FreeBSD #1862 (David Carlier)
  • [misc] clean up buildchain linuxisms & update FreeBSD URLs #1813 (Dave Cottlehuber)
  • [misc] minor facebook/infer 0.15.0 finds #1885 (Frederik Deweerdt)
  • [misc] httpclient misc changes #1877 (Ichito Nagata)
  • [misc] enables support of ccache #1905 (Lars K.W. Gohlke)
  • [misc] pass travis flag to docker and sudo #1908 (Pierre Dubouilh)
  • [misc] pass proper timeout value to uv_timer_start #1911 (Ichito Nagata)
  • [misc] refine socket pool entry timeout #1923 (Baodong Chen)
  • [misc] fix build error under Android O for boringssl #1960 (Baodong Chen)
  • [misc] fix compiler error under android O #1961 (Baodong Chen)
  • [misc] use predifined function 'h2o_socket_is_reading|writing' #1973 (Baodong Chen)
  • [misc] add 'H2O_ERROR_PRINTF' macro, default is 'fprintf(stderr,...)' #2008 (Baodong Chen)

H2O version 2.2.6

13 Aug 17:05
Choose a tag to compare

This is a bug-fix release of the 2.2 series with following changes from 2.2.5, including a vulnerability fix.

H2O version 2.3.0-beta1

02 Jun 04:56
Choose a tag to compare

This is the first beta release of version 2.3 series. Changes from version 2.2.5 are as follows.

  • [core] forbid empty path string in configuration #1506 (Ichito Nagata)
  • [core] use eventfd instead of pipe on linux #1533 (Baodong Chen)
  • [core] remove redundancy #1568 #1569 #1584 #1596 (Baodong Chen)
  • [core] !env for respecting environment variables from the configuration file #1524 (Yannick Koechlin)
  • [core] avoid copying vector when calling writev #1600 (Kazuho Oku)
  • [core] alignment-aware allocation from memory pool #1605 (Baodong Chen)
  • [core] stash directive for storing arbitrary YAML data #1739 (Ichito Nagata)
  • [access-log] log connections that closed prior to sending a response #1235 (Kazuho Oku)
  • [compress] update brotli to 1.0.2 #1523 (Kazuho Oku)
  • [fastcgi] accept default as a keyword of the extensions attribute #1414 (Ichito Nagata)
  • [fastcgi] add verbose mode to fastcgi-cgi gateway #1466 (Kazuho Oku)
  • [fastcgi][mruby][proxy] do not delay sending the headers until some chunk of body becomes available #1508 (Ichito Nagata)
  • [http1][http2] support for server-timing #1646 #1717 (Ichito Nagata)
  • [http1][http2] forward informational responses #1727 (Ichito Nagata)
  • [http2] support critical attribute in preload link header #1436 (Kazuho Oku, Frederik Deweerdt)
  • [http2] continue to process active streams after sending GOAWAY upon graceful shutdown #1556 (Ichito Nagata)
  • [mime] more predefined types #1398 #1632 #1708 #1723 (Jxck, proyb6, OGINO Masanori)
  • [mime] mark /+json as compressible #1709 (OGINO Masanori)
  • [mruby] Rack middleware support #1217 (Ichito Nagata)
  • [mruby] allow running asynchronous operations unbounded to the Rack request being processed #1173 (Ichito Nagata)
  • [mruby] add channel class and task method for parallel processing #1336 (Ritta Narita)
  • [mruby] implement sleep #1348 (Ichito Nagata)
  • [mruby] implement Digest::SHA256 #1387 (Kazuho Oku)
  • [mruby] add option to specify mrbgem dependencies out of tree #1446 (Satoshi Tagomori)
  • [mruby] on exception, emit filenames and consistent line number of embedded mruby code #1537 (Satoshi Tagomori)
  • [mruby] introduce client-warning header for error notification #1562 (Ichito Nagata)
  • [mruby] allow fiber switch in constructor #1574 (Kazuho Oku)
  • [mruby] fix crash when the rack handler returns a non-number status code #1576 (Kazuho Oku)
  • [mruby] add support for redis #1152 (Ichito Nagata)
  • [mruby] replace iijson with mattn-json #1684 (Yannick Koechlin, Kazuho Oku)
  • [mruby] update mruby and modules #1462 #1685
  • [proxy] load balancing support (round-robin, least-conn) #1277 #1361 (Justin Zhu)
  • [proxy] cap the amount of request body being buffered #1357 (Frederik Deweerdt)
  • [proxy] cap the amount of response body being buffered #1358 (Frederik Deweerdt)
  • [proxy] introduce separate timeouts for connection establishment and first-byte #1402 (Frederik Deweerdt)
  • [proxy] forward the error to the client when upstream closes the connection abruptly #1490 (Ichito Nagata)
  • [proxy] add option to skip supplementation of a Date header #1495 (Frederik Deweerdt)
  • [proxy] do not abort when receiving an invalid transfer-encoding header from upstream #1688 (Ichito Nagata)
  • [reproxy] connection pooling for reproxy #1434 (Ichito Nagata)
  • [ssl] support redis as a data store for session cache / ticket #1087 (Ichito Nagata)
  • [ssl] unbundle libressl #1546 (Kazuho Oku)
  • [ssl] add support for 425 Too Early status code #1344 (Kazuho Oku)
  • [libh2o] enable ECDH in the exmaple server #1602 (Varbin)
  • [libh2o] emit less system calls in websocket #1590 (Baodong Chen)
  • [libh2o] build examples using evloop #1589 (Baodong Chen)
  • [libh2o] add API to release thread-local data #1624 (Baodong Chen)
  • [libh2o] h2o_gettimeofday to obtain current time in microsecond order #1726 (Ichito Nagata)
  • [misc] include process id in crash backtrace #1254 (Kazuho Oku)
  • [misc] backtracing for BSD #1503 (Frederik Deweerdt)
  • [misc] fix build issues for Android #1521 (Joel Winarske)
  • [misc] switch to Docker-based CI #1551 #1580 (Kazuho Oku)

H2O version 2.2.5

01 Jun 07:57
Choose a tag to compare

This is a bug-fix release of the 2.2 series with following changes from 2.2.4, including one vulnerability fix.

  • [security fix][access-log] fix buffer overflow CVE-2018-0608 #1775 (Frederik Deweerdt)
  • [fastcgi] index file name must be part of SCRIPT_NAME #1650 (Ichito Nagata)
  • [http2] do not compress cookies less than 20 bytes long #1389 (Julien Benoist)
  • [http2] stop opening new push streams after receiving GOAWAY #1555 (Ichito Nagata)
  • [http2] fix conformance issues #1579 #1582 #1599 (Kazuho Oku)
  • [mruby] drop the link rel=preload header with a x-http2-push-only attribute #1310 (Frederik Deweerdt)
  • [mruby] allow loading a file that shares the basename with one of the preloaded files #1662 (Ichito Nagata)
  • [proxy] fix I/O error when receiving multiple informational responses #1716 (Frederik Deweerdt)
  • [ssl] fix bug that prevents record size growing to maximum when latency optimization is disabled #1545 (Ichito Nagata)
  • [ssl] fix compatibility issues with libressl 2.7 #1707 (AIZAWA Hina)
  • [ssl] update picotls to support TLS 1.3 draft-26 #1718 (Kazuho Oku)

H2O version 2.2.4

15 Dec 07:03
Choose a tag to compare

This is a bug-fix release of the 2.2 series, including two vulnerability fixes.

  • [security fix][access-log][ssl] fix crash when logging TLS 1.3 properties CVE-2017-10872 #1543 (MITSUNARI Shigeo)
  • [security fix][http2] fix crash when handling malformed HTTP/2 request CVE-2017-10908 #1544 (Kazuho Oku)
  • [access-log][compress] %b should log the amount of data sent after compression #1478 (Ichito Nagata)
  • [fastcgi][misc] respect H2O_PERL environment variable in share/h2o/setuidgid #1518 (Kazuho Oku)
  • [mime] fix Opus mimetype #1522 (Alex)
  • [mruby] fix runtime issue that prevents a closed variable from getting updated #1464 (Tatsushi Demachi)
  • [mruby] keep PATH_INFO undecoded #1480 (Ichito Nagata)
  • [mruby] fix keepalive not being used when the response to http_request is directly returned #1489 (Ichito Nagata)
  • [mruby] fix offset overflow of SCRIPT_INFO and PATH_INFO #1502 (Ichito Nagata)
  • [proxy][ssl] fix pointer corruption when connecting to origin via https (big-endian only) #1475 (Kazuho Oku)
  • [proxy] omit network I/O when handling internal redirect between hosts mapped to different ports #1498 (Ichito Nagata)
  • [ssl] fix crash on s390 (and possibly on other big-endian machines) #1474 (Apollon Oikonomopoulos)
  • [websocket] do not send upgrade header twice #1463 (Yamagishi Kazutoshi)

H2O version 2.2.3

19 Oct 06:08
Choose a tag to compare

This is a bug-fix release of the 2.2 series, including two vulnerability fixes.

  • [security fix][http1] fix crash when receiving request with invalid framing CVE-2017-10868 #1459 (Frederik Deweerdt)
  • [security fix][proxy] fix stack overflow when sending huge request body to upstream CVE-2017-10869 #1460 (Frederik Deweerdt)
  • [core] disable buffering of stdout, stderr #1347 (Yannick Koechlin)
  • [expires] fix incorrect header emitted when units: month or year were used #1406 (Frederik Deweerdt)
  • [fastcgi] never return 304 if the file is a dynamic handler #1385 (Kazuho Oku)
  • [mime] flush all existing mapping when file.mime.settypes is used #1416 (Ichito Nagata)
  • [mruby] update mruby and modules #1320 #1338 #1413
  • [mruby] expose SERVER_PROTOCOL #1353 (Frederik Deweerdt)
  • [mruby] properly handle content-less response #1430 (Ichito Nagata)
  • [proxy] do not drop the Date request header #1408 (Ichito Nagata)
  • [ssl] fix deadlock during lazy initialzation #1425 (Apollon Oikonomopoulos)
  • [ssl] fix epoll-related crashes on OSCP updates #1427 (Apollon Oikonomopoulos)
  • [ssl] avoid spurious session ticket renewals #1444 (Apollon Oikonomopoulos)
  • [websocket] fix bug that might drop the first websocket frame #1276 (wuhanck)
  • [libh2o] clear OpenSSL's error queue before using it #1448 (Apollon Oikonomopoulos)
  • [doc] add documentation of duration-stats #1306 (Frederik Deweerdt)
  • [misc] fix build issues on OpenIndiana #1300 (David Carlier)
  • [misc] build on platforms without 64-bit atomics #1433 (Apollon Oikonomopoulos)

H2O version 2.2.2

23 Apr 04:23
Choose a tag to compare

This is a bug-fix release for 2.2 series, fixing the following regression found in 2.2.1.

  • [ssl] fix OCSP stapling error when LibreSSL is used #1275 (Ian Moone)

H2O version 2.2.1

22 Apr 23:22
Choose a tag to compare

This is a bug-fix release for 2.2 series, fixing the following issues found in 2.2.0.

  • [mruby] correct the line number reported on an exception #1239 #1251 (Ichito Nagata)
  • [mruby] retain the order of request headers sharing a single name #1271 (Kazuho Oku)
  • [ssl] fix assertion failure in decode_ssl_input #1264 (Kazuho Oku)
  • [ssl] fix OCSP stapling error when OpenSSL 1.1.0 is used #1270 (Kazuho Oku)
  • [libh2o] fix crash when abruptly closing an HTTP/2 connection on libuv #1250 (Kazuho Oku)
  • [libh2o] fix memory leak of _timestamp_cache #1255 (Kazuho Oku)
  • [doc] restore doc of %{...}e #1252 (Kazuho Oku)
  • [doc] fix typo suggesting using brotli instead of br #1263 (Bogdan Khomutsky)
  • [misc] fix undefined behaviors detected by ubsan #1246 (Frederik Deweerdt)

H2O version 2.2.0

05 Apr 06:54
Choose a tag to compare

This is the first release for 2.2 series, with the following new features and bug fixes from 2.1.0.

  • [core] add crash-handler.wait-pipe-close parameter #1092 (Frederik Deweerdt)
  • [core] introduce an option to bypass the server header sent from upstream #1226 (Frederik Deweerdt)
  • [core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations #1231 (Kazuho Oku)
  • [access-log] add %{remote}p for logging the remote port #1166 (Kazuho Oku)
  • [access-log] add support for JSON-style escapes and null #1208 (Kazuho Oku)
  • [access-log] add specifier for logging per-request environment variables #1221 (Yannick Koechlin)
  • [access-log] add support for <, > modifiers for logging either the original or the final response #1238 (Kazuho Oku)
  • [access-log] do not emit request-total-time twice #1017 (Kazuho Oku)
  • [fastcgi] fix a bug that closes the FastCGI listener socket during startup #1203 (Frederik Deweerdt)
  • [file] add directive for serving gzipped files, decompressing them on-the-fly #1140 (Ichito Nagata)
  • [headers] fix buffer overrun during startup #1180 (Frederik Deweerdt)
  • [http1][proxy] preserve the cases of characters used in header names #1194 (Frederik Deweerdt)
  • [http1][proxy] fix undefined behavior in HTTP/1 parser #1189 (Frederik Deweerdt)
  • [http1] stop reading from socket after sending 400 to avoid the risk of assertion failure #1223 (Frederik Deweerdt)
  • [http2] recognize x-http2-push-only attribute on link header #1169 (Frederik Deweerdt)
  • [http2] add optional timeout for closing connections upon graceful shutdown #1108 (Frederik Deweerdt)
  • [http2] do not ack an acked PING frame #1175 (Moto Ishisawa)
  • [http2] reject requests exceeding the maximum allowed size more efficiently #1183 (Frederik Deweerdt)
  • [mruby] remove dependenty to mkmf #1197 (Yuki Kurihara)
  • [mruby] correct the line number reported on an exception #1239 (Ichito Nagata)
  • [proxy] add directives for tweaking headers sent to upstream #1126 (Justin Zhu)
  • [proxy] retain case-sensitivity of unix socket paths #1131 (Frederik Deweerdt)
  • [proxy] add directive for controlling the via request header #1225 (Frederik Deweerdt)
  • [ssl] add directive for logging session ID #1164 (Yannick Koechlin)
  • [ssl] add support for TLS 1.3 draft-18 #1204 (Kazuho Oku)
  • [ssl] stop evicting session entries in memcached when they are removed from internal cache #1185 (Ichito Nagata)
  • [ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 #1214 (Kazuho Oku)
  • [ssl] fix build failure with OpenSSL 1.1.0 #1216 (Kazuho Oku)
  • [ssl] add doc for handshake-timeout #1233 (Kazuho Oku)
  • [status] fix race condition during start-up #1242 (Frederik Deweerdt)
  • [libh2o] implement h2o_evloop_destroy #1200 (kazan417)
  • [misc] add test code for fuzzing #1174 #1182 #1191 #1192 (Frederik Deweerdt, Jonathan Foote)
  • [misc] fix issues reported by Coverity #1168 #1172 #1179 (Harrison Bowden, Frederik Deweerdt)

H2O version 2.2.0-beta3

22 Mar 15:32
Choose a tag to compare

This is a beta release of version 2.2, with following new features and improvements.

  • [core] introduce an option to bypass the server header sent from upstream #1226 (Frederik Deweerdt)
  • [core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations #1231 (Kazuho Oku)
  • [access-log] in JSON logging, remove surrounding quotes arround null #1229 (Kazuho Oku)
  • [ssl] add doc for handshake-timeout #1233 (Kazuho Oku)