github nghttp2/nghttp2 v1.39.2
nghttp2 v1.39.2

latest releases: v1.61.0-alpha.0, v1.60.0, v1.59.0...
4 years ago

This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

  • Fix CVE-2019-9511 and CVE-2019-9513
  • Add nghttp2_option_set_max_outbound_ack API function
  • nghttpx: Fix request stall

Don't miss a new nghttp2 release

NewReleases is sending notifications on new releases.