nghttp2 is an implementation of the Hypertext Transfer Protocol
version 2 in C. The nghttp2 library prior to version 1.61.0 keeps
reading the unbounded number of HTTP/2 CONTINUATION frames even
after a stream is reset to keep HPACK context in sync. This
causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0
mitigates this vulnerability by limiting the number of CONTINUATION
frames it accepts per stream. There is no workaround for this
vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28182
(From OE-Core rev: 85e65af4727695d61c225a5911325764f423c331)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4448772b4af6143
(From OE-Core rev: 0156b57dcdb2e5acdd9421a7c24c235f13da2d97)
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
(From OE-Core rev: 0e6eb0f417079eaf76b003973c9d93338e6363b5)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
By default there is nothing in nghttp2-client and nghttp2-server ,nghttp2-client
and nghttp2-server aren't created. So there are dependences error if install
main package.
Problem: conflicting requests
- nothing provides nghttp2-client >= 1.52.0 needed by nghttp2-1.52.0-r0.core2_64
- nothing provides nghttp2-server >= 1.52.0 needed by nghttp2-1.52.0-r0.core2_64
Upstream-Status: Backport [OE-core d2cbe060955c598bd81923ecd554fbe82c17af99]
(From OE-Core rev: 619a643f71eceab73bbbe4dacd1eb42b6d6b01d1)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
=========
lib: Fix decoder table size update (GH-1667)
lib: chore: fix -Wunreachable-code-return (GH-1625)
build: Make Docker speak HTTP/3 (GH-1657)
build: Remove SPDY option for CMake (GH-1665)
build: cmake: Disable libbpf build by default
doc: Fix typos (GH-1668)
doc: Update nghttp2.pyx (GH-1666)
h2load: Handle EAGAIN/EWOULDBLOCK from sendmsg
h2load: allow setting max frame size for h2load (GH-1640)
nghttpx: Add --require-http-scheme option
nghttpx: Add support QUIC BBR2
nghttpx: Bump libbpf to v0.7.0 and turn on all strict features
nghttpx: Change qlog file extension to .sqlog
nghttpx: Fix bug that h3 stream ends prematurely
nghttpx: Fix the issue that forwarded h3 GET request always has chunked TE
nghttpx: Handle EAGAIN/EWOULDBLOCK from sendmsg
nghttpx: Send and receive ECN in QUIC packets
nghttpx: Set IP_PMTUDISC_DO explicitly
nghttpx: Support h3 trailer fields
nghttpx: fix quotes in --altsvc example (GH-1643)
nghttpx: shrpx: make nghttpx -v show ngtcp2 and nghttp3 version as well (GH-1636)
third-party: Bump llhttp to v6.0.6
(From OE-Core rev: e4d54bb9d070a342c32ce863a45c01302c9de4f9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update package name to fix following error:
ERROR: Required build target 'lib32-core-image-minimal' has no buildable providers.
Missing or unbuildable dependency chain was: ['lib32-core-image-minimal', 'lib32-libnghttp2']
for lib32 image, lib{PN} will be expanded as lib32-liblib32-nghttp2, so
above error occurs, update lib{PN} to lib{BPN} to fix it.
(From OE-Core rev: 23b87e315962b8cb79219e7782c24b6700ebeff4)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
