Skip to content
Choose a tag to compare
  • build: Workaround broken version check in AX_PYTHON_DEVEL (GH-1622)
  • build: Remove check for UDP_SEGMENT (GH-1619)
  • build: Fix issue that libev cannot be found with autotools under mac osx
  • build: Fix compile error with libressl
  • build: Always include optional files to EXTRA_DIST
  • build: Add missing cmake files to EXTRA_DIST
  • src: Enable HTTP/3 with boringssl
  • src: Compile with boringssl for non-http3 build
  • src: Guard msghdr_get_local_addr with ENABLE_HTTP3 macro (GH-1620)
  • nghttpx: Reduce dgram size if sendmsg fails with EINVAL or EMSGSIZE
  • nghttpx: Set SCT data when built with boringssl
  • nghttpx: Fix wrong SSL_CTX object usage
  • nghttpx: Respect !tls-no-postpone-early-data with boringssl
  • nghttpx: Send session ticket after handshake with boringssl
  • nghttpx: Add --frontend-quic-initial-rtt option
  • nghttpx: Unload BPF program after setting up all QUIC listeners
  • nghttpx: Add --worker-process-grace-shutdown-period option
  • nghttpx: Add --max-worker-processes option
  • nghttpx: Unload BPF objects on reload to avoid running out of memlock
  • nghttpx: Support h3-29
  • nghttpx: Fail h3 connection attempt if no ALPN is negotiated
  • nghttpx: Add --rlimit-memlock option
  • nghttpx: Read QUIC keying materials from file
  • nghttpx: Allocate server id in Connection ID (see --quic-server-id option)
Choose a tag to compare
  • build: Fix compile error with libressl
  • build: Always include optional files to EXTRA_DIST
  • build: Add missing cmake files to EXTRA_DIST
Choose a tag to compare
  • lib: Stricter checks for pseudo-headers :method and :path (Patch from Michael Kaufmann) (GH-1613)
  • doc: Rename sphinxcontrib to rubydomain to avoid module loading error
  • doc: Allow SPHINXBUILD to be overridden by environment variable
  • doc: Fix reference to non-existing nghttp2_option_set_max_send_header_block_size() in comment (Patch from Amir Livneh) (GH-1610)
  • doc: update document for nghttp2_session_mem_recv (Patch from Jacky_Yin) (GH-1603)
  • build: Build with OpenSSL v3.0.0
  • build: Fix cmake Systemd warning
  • nghttpx: Check that HTTP response message finished safely
  • nghttpx: Use secure random to create websocket nonce
  • nghttpx: Fix heap-use-after-free on initialization failure
  • nghttpx: Add experimental HTTP/3 support
  • nghttpx: Add "dnf" (= "do not forward") parameter to backend option (GH-1607)
  • h2load: Add qlog output support (Patch from Hajime Fujita) (GH-1569)
  • h2load: Add SSLKEYLOGFILE support (Patch from Lucas Pardue) (GH-1399)
  • h2load: Add experimental HTTP/3 support
  • nghttpd: Fix prototype mismatch for function 'file_read_callback' (Patch from lhuang04) (GH-1602)
Choose a tag to compare

lib: Port new ngtcp2 map implementation
doc: Replace master with main
build: Add precious variables for libev and jemalloc and use JEMALLOC_CFLAGS
build: Add more --with-* configure flags
build: Add LIBTOOL_LDFLAGS configure variable
third-party: Bump llhttp to 6.0.2
src: Replace black-list with block-list
nghttpx: Fix max distance in weight group/address cycle comparison
nghttpx: Set connect_blocker and live_check after shuffling addresses
nghttpx: Replace master with main
nghttpx: Remove trailing white space after $method log variable (GH-1553)
h2load: Add --rps option (GH-1559)
h2load: Allow unit in -D option
asio: fix some typos (Patch from Jan Kundrát) (GH-1550)

Choose a tag to compare

doc: Make doc generation work with sphinx v3.3 (GH-1547)
python: Require python3 for python bindings (GH-1548)
python: Require python3 for python scripts (GH-1546)
nghttpx: Make sure that Pool gets cleared when all buffers are returned (GH-1544)
nghttpx: Choose ECDSA cert if compatible signature algorithm available (GH-1542)
nghttpx: Add workaround to include ':' in backend pattern (GH-1537)

Choose a tag to compare
  • lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
  • lib: Don't send RST_STREAM to idle stream (GH-1477)
  • lib: nghttp2_map backed by nghttp2_ksl
  • doc: Update sphinx_rtd_theme
  • doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
  • doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
  • build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
  • third-party: Bump llhttp to 2.2.0
  • third-party: Bump mruby to 2.1.2
  • nghttpx: Deal with the case when h2 backend is retired before it is initialized
  • nghttpx: Add accesslog variables to record request path without query (GH-1511)
  • nghttpx: Fix stall when TLS follows after proxy protocol
  • nghttpx: Fix logging integer
Choose a tag to compare
  • Fix CVE-2020-11080
  • lib: Implement max settings option (Patch from James M Snell)
  • lib: Earlier check for settings flood (Patch from James M Snell)
  • lib: Fix receiving stream data stall (GH-1444)
  • build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418)
  • third-party: Bump llhttp to 2.0.4 (GH-1442)
  • nghttpx: Add PROXY-protocol v2 support (GH-1452)
  • nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455)
  • h2load: Allow port in --connect-to
  • h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426)
Choose a tag to compare
  • lib: Add nghttp2_check_authority as public API (GH-1413)
  • lib: Fix the bug that stream is closed with wrong error code (GH-1408)
  • lib: Faster huffman encoding and decoding (GH-1405)
  • build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
  • build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
  • build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
  • third-party: Update neverbleed to fix memory leak
  • nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
  • nghttpx: Reconnect h1 backend if it lost connection before sending headers
  • nghttpx: Returns 408 if backend timed out before sending headers
  • nghttpx: Fix request stall (GH-1378)
Choose a tag to compare

This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

  • Fix CVE-2019-9511 and CVE-2019-9513
  • Add nghttp2_option_set_max_outbound_ack API function
  • nghttpx: Fix request stall
Choose a tag to compare
  • nghttpx: Fix bug that log-level is not set with cmd-line or configuration file
  • nghttpx: Fix FPE with default backend