Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-Protocol-HTTP2 for
openSUSE:Factory checked in at 2026-06-09 14:14:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-Protocol-HTTP2 (Old)
and /work/SRC/openSUSE:Factory/.perl-Protocol-HTTP2.new.2375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Protocol-HTTP2"
Tue Jun 9 14:14:11 2026 rev:5 rq:1357991 version:1.130.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-Protocol-HTTP2/perl-Protocol-HTTP2.changes
2026-03-13 21:15:49.994930745 +0100
+++
/work/SRC/openSUSE:Factory/.perl-Protocol-HTTP2.new.2375/perl-Protocol-HTTP2.changes
2026-06-09 14:14:40.790623708 +0200
@@ -1,0 +2,11 @@
+Mon Jun 8 09:59:01 UTC 2026 - Tina Müller <[email protected]>
+
+- updated to 1.130.0 (1.13)
+ see /usr/share/doc/packages/perl-Protocol-HTTP2/Changes
+
+ 1.13 2026-06-07T09:19:24Z
+ - security fix: CVE-2026-10725 - HTTP/2 Bomb, a remote denial-of-service
+ (reported by Robert Rothenberg, CPAN Security Group)
+ bsc#1267857
+
+-------------------------------------------------------------------
Old:
----
Protocol-HTTP2-1.12.tar.gz
New:
----
Protocol-HTTP2-1.13.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-Protocol-HTTP2.spec ++++++
--- /var/tmp/diff_new_pack.58kVbM/_old 2026-06-09 14:14:42.354689485 +0200
+++ /var/tmp/diff_new_pack.58kVbM/_new 2026-06-09 14:14:42.354689485 +0200
@@ -18,10 +18,10 @@
%define cpan_name Protocol-HTTP2
Name: perl-Protocol-HTTP2
-Version: 1.120.0
+Version: 1.130.0
Release: 0
-# 1.12 -> normalize -> 1.120.0
-%define cpan_version 1.12
+# 1.13 -> normalize -> 1.130.0
+%define cpan_version 1.13
License: Artistic-1.0 OR GPL-1.0-or-later
Summary: HTTP/2 protocol implementation (RFC 7540)
URL: https://metacpan.org/release/%{cpan_name}
++++++ Protocol-HTTP2-1.12.tar.gz -> Protocol-HTTP2-1.13.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/Changes
new/Protocol-HTTP2-1.13/Changes
--- old/Protocol-HTTP2-1.12/Changes 2026-02-14 13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/Changes 2026-06-07 11:19:25.000000000 +0200
@@ -1,5 +1,9 @@
Revision history for Perl extension Protocol-HTTP2
+1.13 2026-06-07T09:19:24Z
+ - security fix: CVE-2026-10725 - HTTP/2 Bomb, a remote denial-of-service
+ (reported by Robert Rothenberg, CPAN Security Group)
+
1.12 2026-02-14T12:55:50Z
- fix: incorrect END_HEADERS flag on CONTINUATION frames (#18) (Daniil
Bondarev)
- fix: arriving continuation frame overwrite the existing header buffer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/MANIFEST
new/Protocol-HTTP2-1.13/MANIFEST
--- old/Protocol-HTTP2-1.12/MANIFEST 2026-02-14 13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/MANIFEST 2026-06-07 11:19:25.000000000 +0200
@@ -53,6 +53,7 @@
t/12_leaks.t
t/13_request_with_body.t
t/14_keepalive.t
+t/15_headersize.t
t/lib/PH2ClientServerTest.pm
t/lib/PH2Test.pm
META.yml
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/META.json
new/Protocol-HTTP2-1.13/META.json
--- old/Protocol-HTTP2-1.12/META.json 2026-02-14 13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/META.json 2026-06-07 11:19:25.000000000 +0200
@@ -63,7 +63,7 @@
"provides" : {
"Protocol::HTTP2" : {
"file" : "lib/Protocol/HTTP2.pm",
- "version" : "1.12"
+ "version" : "1.13"
},
"Protocol::HTTP2::Client" : {
"file" : "lib/Protocol/HTTP2/Client.pm"
@@ -147,7 +147,7 @@
"web" : "https://github.com/vlet/p5-Protocol-HTTP2";
}
},
- "version" : "1.12",
+ "version" : "1.13",
"x_contributors" : [
"Daniil Bondarev <[email protected]>",
"Daniil Bondarev <[email protected]>",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/META.yml
new/Protocol-HTTP2-1.13/META.yml
--- old/Protocol-HTTP2-1.12/META.yml 2026-02-14 13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/META.yml 2026-06-07 11:19:25.000000000 +0200
@@ -30,7 +30,7 @@
provides:
Protocol::HTTP2:
file: lib/Protocol/HTTP2.pm
- version: '1.12'
+ version: '1.13'
Protocol::HTTP2::Client:
file: lib/Protocol/HTTP2/Client.pm
Protocol::HTTP2::Connection:
@@ -85,7 +85,7 @@
bugtracker: https://github.com/vlet/p5-Protocol-HTTP2/issues
homepage: https://github.com/vlet/p5-Protocol-HTTP2
repository: https://github.com/vlet/p5-Protocol-HTTP2.git
-version: '1.12'
+version: '1.13'
x_contributors:
- 'Daniil Bondarev <[email protected]>'
- 'Daniil Bondarev <[email protected]>'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/examples/client-io-socket-ssl.pl
new/Protocol-HTTP2-1.13/examples/client-io-socket-ssl.pl
--- old/Protocol-HTTP2-1.12/examples/client-io-socket-ssl.pl 2026-02-14
13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/examples/client-io-socket-ssl.pl 2026-06-07
11:19:25.000000000 +0200
@@ -39,10 +39,10 @@
PeerPort => $port,
# openssl 1.0.1 support only NPN
- SSL_npn_protocols => ['h2'],
+ #SSL_npn_protocols => ['h2'],
# openssl 1.0.2 also have ALPN
- #SSL_alpn_protocols => ['h2'],
+ SSL_alpn_protocols => ['h2'],
) or die $!;
# non blocking
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/examples/server-io-socket-ssl.pl
new/Protocol-HTTP2-1.13/examples/server-io-socket-ssl.pl
--- old/Protocol-HTTP2-1.12/examples/server-io-socket-ssl.pl 2026-02-14
13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/examples/server-io-socket-ssl.pl 2026-06-07
11:19:25.000000000 +0200
@@ -12,10 +12,10 @@
SSL_key_file => 'test.key',
# openssl 1.0.1 support only NPN
- SSL_npn_protocols => ['h2'],
+ #SSL_npn_protocols => ['h2'],
# openssl 1.0.2 also have ALPN
- #SSL_alpn_protocols => ['h2'],
+ SSL_alpn_protocols => ['h2'],
) or die $!;
# Accept client connection
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Protocol-HTTP2-1.12/lib/Protocol/HTTP2/Frame/Continuation.pm
new/Protocol-HTTP2-1.13/lib/Protocol/HTTP2/Frame/Continuation.pm
--- old/Protocol-HTTP2-1.12/lib/Protocol/HTTP2/Frame/Continuation.pm
2026-02-14 13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/lib/Protocol/HTTP2/Frame/Continuation.pm
2026-06-07 11:19:25.000000000 +0200
@@ -1,7 +1,7 @@
package Protocol::HTTP2::Frame::Continuation;
use strict;
use warnings;
-use Protocol::HTTP2::Constants qw(:flags :errors);
+use Protocol::HTTP2::Constants qw(:flags :errors :settings);
use Protocol::HTTP2::Trace qw(tracer);
sub decode {
@@ -17,9 +17,19 @@
$con->error(PROTOCOL_ERROR);
return undef;
}
+ if (
+ # Headers compressed size already exceeded decompressed limit
+ length( $con->stream_header_block( $frame_ref->{stream} ) ) + $length >
+ $con->dec_setting(SETTINGS_MAX_HEADER_LIST_SIZE)
+ )
+ {
+ $con->error(ENHANCE_YOUR_CALM);
+ return undef;
+ }
$con->stream_header_block_add( $frame_ref->{stream},
- substr( $$buf_ref, $buf_offset, $length ) );
+ substr( $$buf_ref, $buf_offset, $length ) )
+ or return undef;
# Stream header block complete
$con->stream_headers_done( $frame_ref->{stream} )
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Protocol-HTTP2-1.12/lib/Protocol/HTTP2/HeaderCompression.pm
new/Protocol-HTTP2-1.13/lib/Protocol/HTTP2/HeaderCompression.pm
--- old/Protocol-HTTP2-1.12/lib/Protocol/HTTP2/HeaderCompression.pm
2026-02-14 13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/lib/Protocol/HTTP2/HeaderCompression.pm
2026-06-07 11:19:25.000000000 +0200
@@ -139,6 +139,7 @@
my $eh = $context->{emitted_headers};
my $offset = 0;
+ my $hsize = 0;
while ( $offset < $length ) {
@@ -163,6 +164,7 @@
# Static table or Header Table entry
if ( $index <= @stable ) {
my ( $key, $value ) = @{ $stable[ $index - 1 ] };
+ $hsize += length($key) + length($value) + 32;
push @$eh, $key, $value;
tracer->debug("$key = $value\n");
}
@@ -177,6 +179,7 @@
else {
my $kv_ref = $ht->[ $index - @stable - 1 ];
+ $hsize += length( $kv_ref->[0] ) + length( $kv_ref->[1] ) + 32;
push @$eh, @$kv_ref;
tracer->debug("$kv_ref->[0] = $kv_ref->[1]\n");
}
@@ -209,6 +212,7 @@
last unless $value_size;
# Emitting header
+ $hsize += length($key) + length($value) + 32;
push @$eh, $key, $value;
# Add to index
@@ -252,6 +256,7 @@
}
# Emitting header
+ $hsize += length($key) + length($value) + 32;
push @$eh, $key, $value;
# Add to index
@@ -300,6 +305,16 @@
$con->error(COMPRESSION_ERROR);
return undef;
}
+
+ # Check header limit
+ if ( $hsize > $context->{settings}->{&SETTINGS_MAX_HEADER_LIST_SIZE} )
{
+ tracer->error( "Headers size has exceeded the allowed limit: "
+ . $hsize
+ . "\n" );
+ $con->error(ENHANCE_YOUR_CALM);
+ return undef;
+ }
+
}
if ( $offset != $length ) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/lib/Protocol/HTTP2.pm
new/Protocol-HTTP2-1.13/lib/Protocol/HTTP2.pm
--- old/Protocol-HTTP2-1.12/lib/Protocol/HTTP2.pm 2026-02-14
13:56:01.000000000 +0100
+++ new/Protocol-HTTP2-1.13/lib/Protocol/HTTP2.pm 2026-06-07
11:19:25.000000000 +0200
@@ -3,7 +3,7 @@
use strict;
use warnings;
-our $VERSION = "1.12";
+our $VERSION = "1.13";
sub ident_plain {
'h2c';
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Protocol-HTTP2-1.12/t/15_headersize.t
new/Protocol-HTTP2-1.13/t/15_headersize.t
--- old/Protocol-HTTP2-1.12/t/15_headersize.t 1970-01-01 01:00:00.000000000
+0100
+++ new/Protocol-HTTP2-1.13/t/15_headersize.t 2026-06-07 11:19:25.000000000
+0200
@@ -0,0 +1,74 @@
+use strict;
+use warnings;
+use Test::More;
+use Protocol::HTTP2::Client;
+use Protocol::HTTP2::Server;
+use Protocol::HTTP2::Constants qw(:errors :settings :limits);
+use lib 't/lib';
+use PH2Test qw(fake_connect random_string);
+
+subtest 'hpack bomb' => sub {
+
+ plan tests => 1;
+ my $hc = 2000;
+
+ my $server;
+ $server = Protocol::HTTP2::Server->new(
+ on_error => sub {
+ my $error = shift;
+ is $error, &ENHANCE_YOUR_CALM, "ENHANCE_YOUR_CALM error";
+ },
+ on_request => sub {
+ ok 0, "request should not have been received"
+ }
+ );
+
+ my $client = Protocol::HTTP2::Client->new;
+ $client->request(
+ ':scheme' => 'http',
+ ':authority' => 'localhost:8000',
+ ':path' => '/',
+ ':method' => 'GET',
+ headers => [ ('a' => '')x$hc ],
+ );
+
+ fake_connect( $server, $client );
+};
+
+subtest 'change settings' => sub {
+
+ plan tests => 3;
+ my $hc = 2000;
+
+ my $server;
+ $server = Protocol::HTTP2::Server->new(
+ settings => {
+ &SETTINGS_MAX_HEADER_LIST_SIZE => $hc*33 + 200
+ },
+ on_error => sub {
+ my $error = shift;
+ ok 0, "should be no error";
+ },
+ on_request => sub {
+ my ( $stream_id, $headers, $data ) = @_;
+ my %h = (@$headers);
+ is $#$headers, 2*($hc+4)-1, "2*($hc + 4) headers";
+ is keys %h, 5, "merged in 1 + 4 headers";
+ ok exists $h{b}, "b header";
+ }
+ );
+
+ my $client = Protocol::HTTP2::Client->new;
+ $client->request(
+ ':scheme' => 'http',
+ ':authority' => 'localhost:8000',
+ ':path' => '/',
+ ':method' => 'GET',
+ headers => [ ('b' => '')x$hc ],
+ );
+
+ fake_connect( $server, $client );
+};
+
+
+done_testing;
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.58kVbM/_old 2026-06-09 14:14:42.578698905 +0200
+++ /var/tmp/diff_new_pack.58kVbM/_new 2026-06-09 14:14:42.582699073 +0200
@@ -1,6 +1,6 @@
-mtime: 1771135887
-commit: 842b86b185b72c226b7ae08bc26a4b06493f5b62c7f177a82c3597461c1d4337
-url: https://src.opensuse.org/perl/perl-Protocol-HTTP2.git
-revision: 842b86b185b72c226b7ae08bc26a4b06493f5b62c7f177a82c3597461c1d4337
+mtime: 1780924302
+commit: 854effe3e4f0832ffd56637db81b30c7363de61beed5ec5754ca08299e62c02c
+url: https://src.opensuse.org/perl/perl-Protocol-HTTP2
+revision: 854effe3e4f0832ffd56637db81b30c7363de61beed5ec5754ca08299e62c02c
projectscmsync: https://src.opensuse.org/perl/_ObsPrj
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-06-08 15:11:42.000000000 +0200
@@ -0,0 +1 @@
+.osc
