07c44afc8d
Fix CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Fix CVE-2023-35945: nghttp2 fails to release memory when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6pcr-v3hg-752p https://github.com/nghttp2/nghttp2/compare/v1.41.0...v1.57.0 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| .. | ||
| Config.in | ||
| nghttp2.hash | ||
| nghttp2.mk | ||