We have released nghttp2 v1.41.0.

This release includes security advisory.

Security Advisory

CVE-2020-11080: Denial of service: Overly large SETTINGS frames

For more information, read the security advisory.

lib

This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective.

The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens.

build

With cmake build, the hard-coded static lib suffix is now optional.

nghttpx

proxyprotocol v2 has been implemented.

The bug in getting certificate serial number with mruby script has been fixed.

h2load

New option, --connect-to, is added.