Skip to content

@tatsuhiro-t tatsuhiro-t released this Nov 15, 2019 · 7 commits to master since this release

  • lib: Add nghttp2_check_authority as public API (GH-1413)
  • lib: Fix the bug that stream is closed with wrong error code (GH-1408)
  • lib: Faster huffman encoding and decoding (GH-1405)
  • build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
  • build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
  • build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
  • third-party: Update neverbleed to fix memory leak
  • nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
  • nghttpx: Reconnect h1 backend if it lost connection before sending headers
  • nghttpx: Returns 408 if backend timed out before sending headers
  • nghttpx: Fix request stall (GH-1378)
Assets 5

@tatsuhiro-t tatsuhiro-t released this Aug 13, 2019 · 46 commits to master since this release

This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

  • Fix CVE-2019-9511 and CVE-2019-9513
  • Add nghttp2_option_set_max_outbound_ack API function
  • nghttpx: Fix request stall
Assets 5

@tatsuhiro-t tatsuhiro-t released this Jun 11, 2019 · 46 commits to master since this release

  • nghttpx: Fix bug that log-level is not set with cmd-line or configuration file
  • nghttpx: Fix FPE with default backend
Assets 5

@tatsuhiro-t tatsuhiro-t released this Jun 11, 2019 · 46 commits to master since this release

  • lib: Ignore content-length in 200 response to CONNECT request (GH-1347)
  • third-party: Upgrade mruby to 2.0.1 (GH-1337)
  • asio: support boost-1.70 (Patch from Adam Gołębiowski) (GH-1335)
  • src: Replace http-parser with llhttp (GH-1340)
  • nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT (GH-1347)
  • nghttpx: Fix unchanged log level on configuration reload (GH-1356)
Assets 5

@tatsuhiro-t tatsuhiro-t released this Apr 18, 2019 · 76 commits to master since this release

  • lib: Fix bug that on_header callback is still called after stream is closed (GH-1331)
  • third-party: Update http-parser to v2.9.1
  • nghttpx: Fix bug that altered authority and path affect backend selection (GH-1334)
  • nghttpx: Fix bug that chunked request stalls (GH-1333)
  • nghttpx: Don't log authorization request header field value with -LINFO (GH-1332)
  • nghttpx: Fix for compilation against modern LibreSSL (Patch from Jeff 'Raid' Baitis) (GH-1270)
Assets 5

@tatsuhiro-t tatsuhiro-t released this Mar 8, 2019 · 91 commits to master since this release

  • lib: Take into account larger frame size for prioritization
  • lib: Reuse name when indexing header by referencing dynamic table
  • build: Explicitly set install location when building shared libs (Patch from Don) (GH-1303)
  • nghttpx: Fix backend stall if header and request body are sent in 2 packets
  • nghttpx: Backend address selection with weight (GH-1297)
  • nghttpx: Fix compilation with boringssl (Patch from Simon Frankenberger) (GH-1295)
Assets 5

@tatsuhiro-t tatsuhiro-t released this Jan 18, 2019 · 110 commits to master since this release

  • build: Disable shared library if ENABLE_SHARED_LIB is OFF (Patch from Brendan Heinonen) (GH-1285)
  • third-party: Use http-parser to v2.9.0 (GH-1294)
  • third-party: Update mruby to 2.0.0
  • nghttpx: Pool h1 backend connection per address (GH-1292)
  • nghttpx: Randomize backend address round robin order per thread (GH-1291)
  • nghttpx: Fix getting long serial numbers for openssl < 1.1 (Patch from Josh Braegger) (GH-1287)
  • h2load: add an option to write per-request logs (Patch from dawg) (GH-1256)
  • asio: added access to the number of the current server port (Patch from Pedro Santos) (GH-1257)
Assets 5

@tatsuhiro-t tatsuhiro-t released this Dec 9, 2018 · 143 commits to master since this release

  • nghttpx: Fix broken trailing slash handling (GH-1276)
Assets 5

@tatsuhiro-t tatsuhiro-t released this Nov 23, 2018 · 143 commits to master since this release

  • build: cmake: Fix libevent version detection (Patch from Jan Kundrát) (GH-1238)
  • lib: Use __has_declspec_attribute for shared builds (Patch from Don) (GH-1222)
  • src: Require C++14 language feature
  • nghttpx: Write mruby send_info early
  • nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend
  • h2load: Handle HTTP/1 non-final response (GH-1259)
  • h2load: Clarify that time for connect includes TLS handshake
Assets 5

@tatsuhiro-t tatsuhiro-t released this Oct 4, 2018 · 190 commits to master since this release

  • lib: Implement RFC 8441 :protocol support (GH-1181)
  • nghttpx: Add read/write-timeout parameters to backend option (GH-1235)
  • nghttpx: Fix mruby parameter validation in backend option
  • nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2 (GH-1234)
  • nghttpx: Update neverbleed to fix OpenSSL 1.1.1 issues
  • nghttpx: Update mruby 1.4.1
  • nghttpx: Add mruby env.tls_handshake_finished
  • nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
  • nghttpx: Add RFC 8470 Early-Data header field support
  • nghttpx: Add RFC 8446 TLSv1.3 0-RTT early data support (GH-846)
Assets 5
You can’t perform that action at this time.