We have released nghttp2 v1.19.0.

libnghttp2

We fixed memory leak bug which only occurs in server side session. Client side sessions are not affected. This bug was detected by LLVM libFuzzer with HTTP/2 corpus that h2o project uses. Due to the bad code path which nullifies next pointers of linked list in a certain condition, nghttp2_stream object is not going to be freed. We highly encourage to upgrade the existing installation to this latest version.

Alexis La Goutte sent series of patches to fix several issues found by PVS studio.

doc

makovich sent a patch to state that building nghttp2 with jemalloc does not work on Alpine Linux due to its inability of replacing malloc.

nghttp

Benedikt Christoph Wolters sent a patch to take into account authority specified in -H option to find links in HTML page (--get-assets option). Now authority and scheme are considered to find these links.

nghttpx

accesslog-write-early option has been added. If it is used, access log is written when response header block is sent, rather than after request transaction finishes.

client-ciphers option has been added. Previously, ciphers option sets cipher list for both frontend and backend TLS connections. Now ciphers option only sets cipher list for frontend connections. The new client-ciphers option sets cipher list for backend connection.

Similarly, we added client-no-http2-cipher-black-list option to disable HTTP/2 cipher black list enforcement on backend connection. The exiting no-http2-cipher-black-list option disables HTTP/2 cipher black list on frontend connection.

We fix the bug that no-http2-cipher-black-list (which is now client-no-http2-cipher-black-list) does not work on backend HTTP/2 connections.

We added PSK cipher suite support to nghttpx. Read this article to know how to use PSK cipher suites.

Now accept-proxy-protocol option was deprecated. To accept PROXY protocol, use proxyproto keyword in frontend option.