--- - branch: MAIN date: Tue Jun 2 19:12:55 UTC 2020 files: - new: '1.63' old: '1.62' path: pkgsrc/www/nghttp2/Makefile pathrev: pkgsrc/www/nghttp2/Makefile@1.63 type: modified - new: '1.2' old: '1.1' path: pkgsrc/www/nghttp2/Makefile.common pathrev: pkgsrc/www/nghttp2/Makefile.common@1.2 type: modified - new: '1.44' old: '1.43' path: pkgsrc/www/nghttp2/distinfo pathrev: pkgsrc/www/nghttp2/distinfo@1.44 type: modified - new: '1.4' old: '1.3' path: pkgsrc/www/nghttp2-tools/Makefile pathrev: pkgsrc/www/nghttp2-tools/Makefile@1.4 type: modified id: 20200602T191255Z.9c565e24e56f7f4fee30f9e4aac00da4cc581fef log: | nghttp2: updated to 1.14.0 Nghttp2 v1.41.0 Security Advisory CVE-2020-11080: Denial of service: Overly large SETTINGS frames For more information, read the security advisory. lib This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective. The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens. build With cmake build, the hard-coded static lib suffix is now optional. nghttpx proxyprotocol v2 has been implemented. The bug in getting certificate serial number with mruby script has been fixed. h2load New option, --connect-to, is added. module: pkgsrc subject: 'CVS commit: pkgsrc/www' unixtime: '1591125175' user: adam