---
- branch: MAIN
  date: Wed Aug 14 07:43:34 UTC 2019
  files:
  - new: '1.55'
    old: '1.54'
    path: pkgsrc/www/nghttp2/Makefile
    pathrev: pkgsrc/www/nghttp2/Makefile@1.55
    type: modified
  - new: '1.42'
    old: '1.41'
    path: pkgsrc/www/nghttp2/distinfo
    pathrev: pkgsrc/www/nghttp2/distinfo@1.42
    type: modified
  id: 20190814T074334Z.6388d4435d496a702fbdae64f47a19c61be2ebc2
  log: |
    nghttp2: updated to 1.39.2

    nghttp2 v1.39.2

    This release fixes CVE-2019-9511 ���Data Dribble��� and CVE-2019-9513
    ���Resource Loop��� vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
    frames cause Denial of Service by consuming CPU time. Check out
    https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
    for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

    Fix CVE-2019-9511 and CVE-2019-9513
    Add nghttp2_option_set_max_outbound_ack API function
    nghttpx: Fix request stall
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/nghttp2'
  unixtime: '1565768614'
  user: adam