We have released nghttp2 v1.62.0.
Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.62.0.tar.gz.
We have released nghttp2 v1.62.0.
Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.62.0.tar.gz.
We have released nghttp2 v1.61.0.
This release includes security advisory.
CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
For more information, read the security advisory.
For other changes, refer to v1.61.0 release notes.
Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.61.0.tar.gz.
We have released nghttp2 v1.60.0.
RFC 7540 priorities (aka stream dependencies) APIs have been deprecated. They work just like before, but in the future release after the end of 2024, the functionality is removed, and the deprecated APIs start behaving differently. See the API documentation for details. RFC 7540 priorities have been deprecated by RFC 9113. Consider migrating RFC 9218 extensible prioritization scheme.
The APIs that use ssize_t
, including structs and callback functions,
have been deprecated. New APIs that use nghttp2_ssize
are
introduced as a replacement. The usage of ssize_t
is problematic
for several reasons. Some platforms do not define ssize_t
. The
minimum value of ssize_t
that POSIX requires is -1 which makes
nghttp2 error code out of range. nghttp2_ssize
is an alias of
ptrdiff_t
that is in C standard and covers our error code range.
New code should use new nghttp2_ssize
APIs. The existing
applications should consider migrating to new APIs.
The deprecated ssize_t
APIs continue to work for backward
compatibility.
Here is the summary of the deprecated APIs and their replacements:
Callback functions:
nghttp2_data_source_read_callback
=> nghttp2_data_source_read_callback2
nghttp2_data_source_read_length_callback
=> nghttp2_data_source_read_length_callback2
nghttp2_pack_extension_callback
=> nghttp2_pack_extension_callback2
nghttp2_recv_callback
=> nghttp2_recv_callback2
nghttp2_select_padding_callback
=> nghttp2_select_padding_callback2
nghttp2_send_callback
=> nghttp2_send_callback2
Structs:
nghttp2_data_provider
=> nghttp2_data_provider2
Functions:
nghttp2_hd_deflate_hd
=> nghttp2_hd_deflate_hd2
nghttp2_hd_deflate_hd_vec
=> nghttp2_hd_deflate_hd_vec2
nghttp2_hd_inflate_hd2
=> nghttp2_hd_inflate_hd3
nghttp2_pack_settings_payload
=> nghttp2_pack_settings_payload2
nghttp2_session_callbacks_set_data_source_read_length_callback
=> nghttp2_session_callbacks_set_data_source_read_length_callback2
nghttp2_session_callbacks_set_pack_extension_callback
=> nghttp2_session_callbacks_set_pack_extension_callback2
nghttp2_session_callbacks_set_recv_callback
=> nghttp2_session_callbacks_set_recv_callback2
nghttp2_session_callbacks_set_select_padding_callback
=> nghttp2_session_callbacks_set_select_padding_callback2
nghttp2_session_callbacks_set_send_callback
=> nghttp2_session_callbacks_set_send_callback2
nghttp2_session_mem_recv
=> nghttp2_session_mem_recv2
nghttp2_session_mem_send
=> nghttp2_session_mem_send2
nghttp2_submit_data
=> nghttp2_submit_data2
nghttp2_submit_request
=> nghttp2_submit_request2
nghttp2_submit_response
=> nghttp2_submit_response2
For those applications that do not want to see ssize_t
in nghttp2.h
header file at all, define NGHTTP2_NO_SSIZE_T
macro before including
nghttp2.h. It hides all ssize_t
APIs.
cmake build and install trees are now fixed.
The following dependencies have been updated:
CUnit has been replaced with ngtcp2/munit. munit is pulled via git submodule.
The flags to build applications with libbrotli have been added.
llhttp has been updated.
mruby is updated to v3.3.0.
--sni
option has been added.
The certificate compression support with boringssl (or aws-lc) and libbrotli has been added.
We have released nghttp2 v1.59.0.
This release adds API to get and parse RFC 9218 priority.
nghttp2_select_next_protocol()
has been deprecated. Use
nghttp2_select_alpn()
instead.
The following dependencies have been updated:
h2load now considers all h2 HEADERS when counting bytes and recording TTFB.
This release fixes the bug that TTFB is not recorded if h3 stream has no data.
h2load now ignores 1xx status code.
IPv6 address is now enclosed by square brackets when set in
:authority
header field.
This release adds SSL_CTX_set_recv_max_early_data()
call which
OpenSSL requires.
__FILE_NAME__
macro is preferred if available.
nghttpx now propagates stream priority from backend to frontend.
This release fixes the bug that nghttpx sends QUIC RESET_STREAM
when
it receives RESET_STREAM
from client.
This release drops old OpenSSL (< 1.1.1) support.
Now bundled applications can be built with aws-lc.
We have released nghttp2 v1.58.0.
This release fixes build issues with cygwin and mingw.
This release speeds up warning option detection with cmake.
The following dependencies have been updated:
neverbleed has been updated.
This release introduces stricter transfer-encoding checks.
Enable http3 test with cmake.
We have released nghttp2 v1.57.0.
This release includes security advisory.
CVE-2023-44487: HTTP/2 Rapid Reset
For more information, read the security advisory.
This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset.
It has reasonable amount of default budgets for incoming RST_STREAM
frames. Application can tune the rate limit by using
nghttp2_option_set_stream_reset_rate_limit
. It can also implement
its own rate limit by implementing nghttp2_on_frame_recv_callback
and check RST_STREAM frame.
This release fixes the bug that --single-process
does not work.
It also fixes the bug that TLS connection is not rate limited.
We have released nghttp2 v1.56.0.
The following dependencies have been updated:
llhttp has been updated.
Rework is done in functions that send ECN bits.
--frontend-quic-congestion-controller=bbr2
has been renamed to
--frontend-quic-congestion-controller=bbrv2
.
Fix issue that CMSG_DATA does not necessarily return an aligned pointer.
We have released nghttp2 v1.55.1.
This release includes security advisory.
CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec
For more information, read the security advisory.
This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.
This release fixes memory leak that happens when PUSH_PROMISE or
HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
fails with a fatal error. For example, if GOAWAY frame has been
received, a HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.
PoC described in CVE is quite simple, but I think it is not enough to
trigger this bug. While it is true that receiving GOAWAY prevents a
client from opening new stream, and nghttp2 enters error handling
branch, in order to cause the memory leak,
nghttp2_session_close_stream
function must return a fatal error.
nghttp2 defines 2 fatal error codes:
NGHTTP2_ERR_NOMEM
NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM
, as its name suggests, indicates out of memory.
It is unlikely that a process gets short of memory with this simple
PoC scenario unless application does something memory heavy
processing.
NGHTTP2_ERR_CALLBACK_FAILURE
is returned from application defined
callback function (nghttp2_on_stream_close_callback
, in this case),
which indicates something fatal happened inside a callback, and a
connection must be closed immediately without any further action. As
nghttp2_on_stream_close_error_callback
documentation says, any error
code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE
is treated as
fatal error code. More specifically, it is treated as if
NGHTTP2_ERR_CALLBACK_FAILURE
is returned. I guess that envoy
returns NGHTTP2_ERR_CALLBACK_FAILURE
or other error code which is
translated into NGHTTP2_ERR_CALLBACK_FAILURE
.
We have released nghttp2 v1.55.0.
The following dependencies have been updated:
This release fixes build error without libev.
llhttp has been updated.
Cross-compiling mruby is now supported.
UDP_GRO is enabled for QUIC socket.
The initial QUIC packet number is now randomized.
UDP_GRO is enabled for QUIC socket.
We have released nghttp2 v1.54.0.
The following dependencies have been updated:
This release fixes HTTP/3 upload stall bug.