07c44afc8d
Fix CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Fix CVE-2023-35945: nghttp2 fails to release memory when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6pcr-v3hg-752p https://github.com/nghttp2/nghttp2/compare/v1.41.0...v1.57.0 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
25 lines
770 B
Makefile
25 lines
770 B
Makefile
################################################################################
|
|
#
|
|
# nghttp2
|
|
#
|
|
################################################################################
|
|
|
|
NGHTTP2_VERSION = 1.57.0
|
|
NGHTTP2_SOURCE = nghttp2-$(NGHTTP2_VERSION).tar.xz
|
|
NGHTTP2_SITE = https://github.com/nghttp2/nghttp2/releases/download/v$(NGHTTP2_VERSION)
|
|
NGHTTP2_LICENSE = MIT
|
|
NGHTTP2_LICENSE_FILES = COPYING
|
|
NGHTTP2_INSTALL_STAGING = YES
|
|
NGHTTP2_CPE_ID_VENDOR = nghttp2
|
|
NGHTTP2_DEPENDENCIES = host-pkgconf
|
|
NGHTTP2_CONF_OPTS = --enable-lib-only
|
|
|
|
define NGHTTP2_INSTALL_CLEAN_HOOK
|
|
# Remove fetch-ocsp-response script unused by library
|
|
$(Q)$(RM) -rf $(TARGET_DIR)/usr/share/nghttp2
|
|
endef
|
|
|
|
NGHTTP2_POST_INSTALL_TARGET_HOOKS += NGHTTP2_INSTALL_CLEAN_HOOK
|
|
|
|
$(eval $(autotools-package))
|