Hello community, here is the log from the commit of package nghttp2 for openSUSE:Factory checked in at 2019-08-27 15:21:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nghttp2 (Old) and /work/SRC/openSUSE:Factory/.nghttp2.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nghttp2" Tue Aug 27 15:21:51 2019 rev:59 rq:724584 version:1.39.2 Changes: -------- --- /work/SRC/openSUSE:Factory/nghttp2/nghttp2.changes 2019-08-16 15:30:10.133969350 +0200 +++ /work/SRC/openSUSE:Factory/.nghttp2.new.7948/nghttp2.changes 2019-08-27 15:21:54.384825159 +0200 @@ -1,0 +2,20 @@ +Mon Aug 19 12:27:38 UTC 2019 - Martin Pluskal <[email protected]> + +- Require correct library from devel package - boo#1125689 + +------------------------------------------------------------------- +Mon Aug 19 12:02:09 UTC 2019 - Adam Majer <[email protected]> + +- Update to version 1.39.2 (bsc#1146184, bsc#1146182): + * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 + “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 + frames cause Denial of Service by consuming CPU time. Check out + https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md + for details. For nghttpx, additionally limiting inbound traffic by + --read-rate and --read-burst options is quite effective against + this kind of attack. + + * Add nghttp2_option_set_max_outbound_ack API function + * nghttpx: Fix request stall + +------------------------------------------------------------------- Old: ---- nghttp2-1.39.1.tar.xz New: ---- nghttp2-1.39.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nghttp2.spec ++++++ --- /var/tmp/diff_new_pack.1kR8u7/_old 2019-08-27 15:21:54.816824941 +0200 +++ /var/tmp/diff_new_pack.1kR8u7/_new 2019-08-27 15:21:54.820824939 +0200 @@ -29,7 +29,7 @@ %bcond_with python %endif Name: nghttp2%{psuffix} -Version: 1.39.1 +Version: 1.39.2 Release: 0 Summary: Implementation of Hypertext Transfer Protocol version 2 in C License: MIT @@ -105,7 +105,7 @@ %package -n %{soname}-devel Summary: Development files for nghttp2 Group: Development/Languages/C and C++ -Requires: %{soname_asio}%{sover_asio} = %{version} +Requires: %{soname}-%{sover} = %{version} Provides: %{name}-devel %description -n %{soname}-devel ++++++ nghttp2-1.39.1.tar.xz -> nghttp2-1.39.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/CMakeLists.txt new/nghttp2-1.39.2/CMakeLists.txt --- old/nghttp2-1.39.1/CMakeLists.txt 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/CMakeLists.txt 2019-08-14 01:28:42.000000000 +0200 @@ -24,13 +24,13 @@ cmake_minimum_required(VERSION 3.0) # XXX using 1.8.90 instead of 1.9.0-DEV -project(nghttp2 VERSION 1.39.1) +project(nghttp2 VERSION 1.39.2) # See versioning rule: # http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html -set(LT_CURRENT 31) -set(LT_REVISION 4) -set(LT_AGE 17) +set(LT_CURRENT 32) +set(LT_REVISION 0) +set(LT_AGE 18) set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH}) include(Version) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/ChangeLog new/nghttp2-1.39.2/ChangeLog --- old/nghttp2-1.39.1/ChangeLog 2019-06-11 16:23:00.000000000 +0200 +++ new/nghttp2-1.39.2/ChangeLog 2019-08-14 01:29:04.000000000 +0200 @@ -1,23 +1,33 @@ -commit 7ffc239b5fe03325e6cec872941bebdbc586d850 (HEAD, tag: v1.39.1, origin/v1.39.x, origin/HEAD, v1.39.x) +commit 957abacf9920a42becdf1935d14ca48d260bb8e7 (HEAD, tag: v1.39.2, origin/v1.39.x, origin/HEAD, v1.39.x) Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2019-06-11 +AuthorDate: 2019-08-13 Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2019-06-11 +CommitDate: 2019-08-13 - Bump up version number to 1.39.1 + Bump up version number to 1.39.2, LT revision to 32:0:18 -commit bc886a0e0d15ee33611dc32eae9b987df65b8936 +commit 83d362c6d21f76599b86e7b94cd1992288a1d43c Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2019-06-11 +AuthorDate: 2019-06-25 Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2019-06-11 +CommitDate: 2019-08-13 - Fix FPE with default backend + Don't read too greedily -commit a3a14a9cde3c1aa5e82b69d796ee394dfdb84962 +commit a76d0723b5f52902139ff453e0ec840673e86e75 Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2019-06-11 +AuthorDate: 2019-06-25 Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2019-06-11 +CommitDate: 2019-08-13 - Fix log-level is not set with cmd-line or configuration file + Add nghttp2_option_set_max_outbound_ack + +commit db2f612a30d54aa152ce5530fa1d683738baa4d1 +Author: Tatsuhiro Tsujikawa <[email protected]> +AuthorDate: 2019-08-06 +Commit: Tatsuhiro Tsujikawa <[email protected]> +CommitDate: 2019-08-13 + + nghttpx: Fix request stall + + Fix request stall if backend connection is reused and buffer is full. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/aclocal.m4 new/nghttp2-1.39.2/aclocal.m4 --- old/nghttp2-1.39.1/aclocal.m4 2019-06-11 16:23:10.000000000 +0200 +++ new/nghttp2-1.39.2/aclocal.m4 2019-08-14 01:29:19.000000000 +0200 @@ -21,7 +21,7 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])]) dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29) +dnl serial 11 (pkg-config-0.29.1) dnl dnl Copyright © 2004 Scott James Remnant <[email protected]>. dnl Copyright © 2012-2015 Dan Nicholson <[email protected]> @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun([PKG_PREREQ], -[m4_define([PKG_MACROS_VERSION], [0.29]) +[m4_define([PKG_MACROS_VERSION], [0.29.1]) m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) ])dnl PKG_PREREQ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/configure new/nghttp2-1.39.2/configure --- old/nghttp2-1.39.1/configure 2019-06-11 16:23:11.000000000 +0200 +++ new/nghttp2-1.39.2/configure 2019-08-14 01:29:20.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nghttp2 1.39.1. +# Generated by GNU Autoconf 2.69 for nghttp2 1.39.2. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='nghttp2' PACKAGE_TARNAME='nghttp2' -PACKAGE_VERSION='1.39.1' -PACKAGE_STRING='nghttp2 1.39.1' +PACKAGE_VERSION='1.39.2' +PACKAGE_STRING='nghttp2 1.39.2' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1464,7 +1464,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures nghttp2 1.39.1 to adapt to many kinds of systems. +\`configure' configures nghttp2 1.39.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1536,7 +1536,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of nghttp2 1.39.1:";; + short | recursive ) echo "Configuration of nghttp2 1.39.2:";; esac cat <<\_ACEOF @@ -1732,7 +1732,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -nghttp2 configure 1.39.1 +nghttp2 configure 1.39.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2692,7 +2692,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by nghttp2 $as_me 1.39.1, which was +It was created by nghttp2 $as_me 1.39.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -8551,6 +8551,12 @@ lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -12657,7 +12663,7 @@ # Define the identity of the package. PACKAGE='nghttp2' - VERSION='1.39.1' + VERSION='1.39.2' cat >>confdefs.h <<_ACEOF @@ -12919,11 +12925,11 @@ AM_BACKSLASH='\' -LT_CURRENT=31 +LT_CURRENT=32 -LT_REVISION=4 +LT_REVISION=0 -LT_AGE=17 +LT_AGE=18 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/^0-9//g"` @@ -24916,7 +24922,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nghttp2 $as_me 1.39.1, which was +This file was extended by nghttp2 $as_me 1.39.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24982,7 +24988,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nghttp2 config.status 1.39.1 +nghttp2 config.status 1.39.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/configure.ac new/nghttp2-1.39.2/configure.ac --- old/nghttp2-1.39.1/configure.ac 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/configure.ac 2019-08-14 01:28:42.000000000 +0200 @@ -25,7 +25,7 @@ dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html AC_PREREQ(2.61) -AC_INIT([nghttp2], [1.39.1], [[email protected]]) +AC_INIT([nghttp2], [1.39.2], [[email protected]]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h]) @@ -44,9 +44,9 @@ dnl See versioning rule: dnl http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html -AC_SUBST(LT_CURRENT, 31) -AC_SUBST(LT_REVISION, 4) -AC_SUBST(LT_AGE, 17) +AC_SUBST(LT_CURRENT, 32) +AC_SUBST(LT_REVISION, 0) +AC_SUBST(LT_AGE, 18) major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"` minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/[^0-9]//g"` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/doc/Makefile.am new/nghttp2-1.39.2/doc/Makefile.am --- old/nghttp2-1.39.1/doc/Makefile.am 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/doc/Makefile.am 2019-08-14 01:28:42.000000000 +0200 @@ -67,6 +67,7 @@ nghttp2_option_set_no_recv_client_magic.rst \ nghttp2_option_set_peer_max_concurrent_streams.rst \ nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ nghttp2_pack_settings_payload.rst \ nghttp2_priority_spec_check_default.rst \ nghttp2_priority_spec_default_init.rst \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/doc/Makefile.in new/nghttp2-1.39.2/doc/Makefile.in --- old/nghttp2-1.39.1/doc/Makefile.in 2019-06-11 16:23:11.000000000 +0200 +++ new/nghttp2-1.39.2/doc/Makefile.in 2019-08-14 01:29:21.000000000 +0200 @@ -424,6 +424,7 @@ nghttp2_option_set_no_recv_client_magic.rst \ nghttp2_option_set_peer_max_concurrent_streams.rst \ nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ nghttp2_pack_settings_payload.rst \ nghttp2_priority_spec_check_default.rst \ nghttp2_priority_spec_default_init.rst \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/doc/nghttp2_option_set_max_outbound_ack.rst new/nghttp2-1.39.2/doc/nghttp2_option_set_max_outbound_ack.rst --- old/nghttp2-1.39.1/doc/nghttp2_option_set_max_outbound_ack.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/nghttp2-1.39.2/doc/nghttp2_option_set_max_outbound_ack.rst 2019-08-14 01:29:36.000000000 +0200 @@ -0,0 +1,16 @@ + +nghttp2_option_set_max_outbound_ack +=================================== + +Synopsis +-------- + +*#include <nghttp2/nghttp2.h>* + +.. function:: void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) + + + This function sets the maximum number of outgoing SETTINGS ACK and + PING ACK frames retained in :type:`nghttp2_session` object. If + more than those frames are retained, the peer is considered to be + misbehaving and session will be closed. The default value is 1000. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/integration-tests/nghttpx_http1_test.go new/nghttp2-1.39.2/integration-tests/nghttpx_http1_test.go --- old/nghttp2-1.39.1/integration-tests/nghttpx_http1_test.go 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/integration-tests/nghttpx_http1_test.go 2019-08-14 01:28:42.000000000 +0200 @@ -625,6 +625,35 @@ } } +// TestH1H1POSTRequests tests that server can handle 2 requests with +// request body. +func TestH1H1POSTRequests(t *testing.T) { + st := newServerTester(nil, t, noopHandler) + defer st.Close() + + res, err := st.http1(requestParam{ + name: "TestH1H1POSTRequestsNo1", + body: make([]byte, 1), + }) + if err != nil { + t.Fatalf("Error st.http1() = %v", err) + } + if got, want := res.status, 200; got != want { + t.Errorf("res.status: %v; want %v", got, want) + } + + res, err = st.http1(requestParam{ + name: "TestH1H1POSTRequestsNo2", + body: make([]byte, 65536), + }) + if err != nil { + t.Fatalf("Error st.http1() = %v", err) + } + if got, want := res.status, 200; got != want { + t.Errorf("res.status: %v; want %v", got, want) + } +} + // // TestH1H2ConnectFailure tests that server handles the situation that // // connection attempt to HTTP/2 backend failed. // func TestH1H2ConnectFailure(t *testing.T) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/integration-tests/server_tester.go new/nghttp2-1.39.2/integration-tests/server_tester.go --- old/nghttp2-1.39.1/integration-tests/server_tester.go 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/integration-tests/server_tester.go 2019-08-14 01:28:42.000000000 +0200 @@ -662,7 +662,9 @@ return h2 } -func noopHandler(w http.ResponseWriter, r *http.Request) {} +func noopHandler(w http.ResponseWriter, r *http.Request) { + ioutil.ReadAll(r.Body) +} type APIResponse struct { Status string `json:"status,omitempty"` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/integration-tests/setenv new/nghttp2-1.39.2/integration-tests/setenv --- old/nghttp2-1.39.1/integration-tests/setenv 2019-06-11 16:23:17.000000000 +0200 +++ new/nghttp2-1.39.2/integration-tests/setenv 2019-08-14 01:29:34.000000000 +0200 @@ -1,11 +1,11 @@ #!/bin/sh -e -libdir="/mnt/nghttp2/lib" +libdir="/home/tatsuhiro/workspace/nghttp2-release/lib" if [ -d "$libdir/.libs" ]; then libdir="$libdir/.libs" fi -export CGO_CFLAGS="-I/mnt/nghttp2/lib/includes -I/mnt/nghttp2/lib/includes" +export CGO_CFLAGS="-I/home/tatsuhiro/workspace/nghttp2-release/lib/includes -I/home/tatsuhiro/workspace/nghttp2-release/lib/includes" export CGO_LDFLAGS="-L$libdir" export LD_LIBRARY_PATH="$libdir" export GODEBUG=cgocheck=0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/lib/includes/nghttp2/nghttp2.h new/nghttp2-1.39.2/lib/includes/nghttp2/nghttp2.h --- old/nghttp2-1.39.1/lib/includes/nghttp2/nghttp2.h 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/lib/includes/nghttp2/nghttp2.h 2019-08-14 01:28:42.000000000 +0200 @@ -2651,6 +2651,17 @@ /** * @function * + * This function sets the maximum number of outgoing SETTINGS ACK and + * PING ACK frames retained in :type:`nghttp2_session` object. If + * more than those frames are retained, the peer is considered to be + * misbehaving and session will be closed. The default value is 1000. + */ +NGHTTP2_EXTERN void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, + size_t val); + +/** + * @function + * * Initializes |*session_ptr| for client use. The all members of * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| * does not store |callbacks|. The |user_data| is an arbitrary user diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/lib/includes/nghttp2/nghttp2ver.h new/nghttp2-1.39.2/lib/includes/nghttp2/nghttp2ver.h --- old/nghttp2-1.39.1/lib/includes/nghttp2/nghttp2ver.h 2019-06-11 16:23:17.000000000 +0200 +++ new/nghttp2-1.39.2/lib/includes/nghttp2/nghttp2ver.h 2019-08-14 01:29:34.000000000 +0200 @@ -29,7 +29,7 @@ * @macro * Version number of the nghttp2 library release */ -#define NGHTTP2_VERSION "1.39.1" +#define NGHTTP2_VERSION "1.39.2" /** * @macro @@ -37,6 +37,6 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define NGHTTP2_VERSION_NUM 0x012701 +#define NGHTTP2_VERSION_NUM 0x012702 #endif /* NGHTTP2VER_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/lib/nghttp2_option.c new/nghttp2-1.39.2/lib/nghttp2_option.c --- old/nghttp2-1.39.1/lib/nghttp2_option.c 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/lib/nghttp2_option.c 2019-08-14 01:28:42.000000000 +0200 @@ -116,3 +116,8 @@ option->opt_set_mask |= NGHTTP2_OPT_NO_CLOSED_STREAMS; option->no_closed_streams = val; } + +void nghttp2_option_set_max_outbound_ack(nghttp2_option *option, size_t val) { + option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK; + option->max_outbound_ack = val; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/lib/nghttp2_option.h new/nghttp2-1.39.2/lib/nghttp2_option.h --- old/nghttp2-1.39.1/lib/nghttp2_option.h 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/lib/nghttp2_option.h 2019-08-14 01:28:42.000000000 +0200 @@ -66,6 +66,7 @@ NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH = 1 << 8, NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9, NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, } nghttp2_option_flag; /** @@ -81,6 +82,10 @@ */ size_t max_deflate_dynamic_table_size; /** + * NGHTTP2_OPT_MAX_OUTBOUND_ACK + */ + size_t max_outbound_ack; + /** * Bitwise OR of nghttp2_option_flag to determine that which fields * are specified. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/lib/nghttp2_session.c new/nghttp2-1.39.2/lib/nghttp2_session.c --- old/nghttp2-1.39.1/lib/nghttp2_session.c 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/lib/nghttp2_session.c 2019-08-14 01:28:42.000000000 +0200 @@ -457,6 +457,7 @@ (*session_ptr)->remote_settings.max_concurrent_streams = 100; (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; if (option) { if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && @@ -516,6 +517,10 @@ option->no_closed_streams) { (*session_ptr)->opt_flags |= NGHTTP2_OPTMASK_NO_CLOSED_STREAMS; } + + if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) { + (*session_ptr)->max_outbound_ack = option->max_outbound_ack; + } } rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, @@ -6857,7 +6862,7 @@ mem = &session->mem; if ((flags & NGHTTP2_FLAG_ACK) && - session->obq_flood_counter_ >= NGHTTP2_MAX_OBQ_FLOOD_ITEM) { + session->obq_flood_counter_ >= session->max_outbound_ack) { return NGHTTP2_ERR_FLOODED; } @@ -7002,7 +7007,7 @@ return NGHTTP2_ERR_INVALID_ARGUMENT; } - if (session->obq_flood_counter_ >= NGHTTP2_MAX_OBQ_FLOOD_ITEM) { + if (session->obq_flood_counter_ >= session->max_outbound_ack) { return NGHTTP2_ERR_FLOODED; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/lib/nghttp2_session.h new/nghttp2-1.39.2/lib/nghttp2_session.h --- old/nghttp2-1.39.1/lib/nghttp2_session.h 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/lib/nghttp2_session.h 2019-08-14 01:28:42.000000000 +0200 @@ -97,7 +97,7 @@ response frames are stacked up, which leads to memory exhaustion. The value selected here is arbitrary, but safe value and if we have these frames in this number, it is considered suspicious. */ -#define NGHTTP2_MAX_OBQ_FLOOD_ITEM 10000 +#define NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM 1000 /* The default value of maximum number of concurrent streams. */ #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu @@ -258,8 +258,12 @@ size_t num_idle_streams; /* The number of bytes allocated for nvbuf */ size_t nvbuflen; - /* Counter for detecting flooding in outbound queue */ + /* Counter for detecting flooding in outbound queue. If it exceeds + max_outbound_ack, session will be closed. */ size_t obq_flood_counter_; + /* The maximum number of outgoing SETTINGS ACK and PING ACK in + outbound queue. */ + size_t max_outbound_ack; /* The maximum length of header block to send. Calculated by the same way as nghttp2_hd_deflate_bound() does. */ size_t max_send_header_block_length; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/ltmain.sh new/nghttp2-1.39.2/ltmain.sh --- old/nghttp2-1.39.1/ltmain.sh 2019-06-11 16:23:08.000000000 +0200 +++ new/nghttp2-1.39.2/ltmain.sh 2019-08-14 01:29:17.000000000 +0200 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-6" +VERSION="2.4.6 Debian-2.4.6-10" package_revision=2.4.6 @@ -64,7 +64,7 @@ # libraries, which are installed to $pkgauxdir. # Set a version string for this script. -scriptversion=2015-10-04.22; # UTC +scriptversion=2015-01-20.17; # UTC # General shell script boiler plate, and helper functions. # Written by Gary V. Vaughan, 2004 @@ -1091,57 +1091,6 @@ } -# func_quote ARG -# -------------- -# Aesthetically quote one ARG, store the result into $func_quote_result. Note -# that we keep attention to performance here (so far O(N) complexity as long as -# func_append is O(1)). -func_quote () -{ - $debug_cmd - - func_quote_result=$1 - - case $func_quote_result in - *[\\\`\"\$]*) - case $func_quote_result in - *[\[\*\?]*) - func_quote_result=`$ECHO "$func_quote_result" | $SED "$sed_quote_subst"` - return 0 - ;; - esac - - func_quote_old_IFS=$IFS - for _G_char in '\' '`' '"' '$' - do - # STATE($1) PREV($2) SEPARATOR($3) - set start "" "" - func_quote_result=dummy"$_G_char$func_quote_result$_G_char"dummy - IFS=$_G_char - for _G_part in $func_quote_result - do - case $1 in - quote) - func_append func_quote_result "$3$2" - set quote "$_G_part" "\\$_G_char" - ;; - start) - set first "" "" - func_quote_result= - ;; - first) - set quote "$_G_part" "" - ;; - esac - done - IFS=$func_quote_old_IFS - done - ;; - *) ;; - esac -} - - # func_quote_for_eval ARG... # -------------------------- # Aesthetically quote ARGs to be evaled later. @@ -1158,8 +1107,12 @@ func_quote_for_eval_unquoted_result= func_quote_for_eval_result= while test 0 -lt $#; do - func_quote "$1" - _G_unquoted_arg=$func_quote_result + case $1 in + *[\\\`\"\$]*) + _G_unquoted_arg=`printf '%s\n' "$1" |$SED "$sed_quote_subst"` ;; + *) + _G_unquoted_arg=$1 ;; + esac if test -n "$func_quote_for_eval_unquoted_result"; then func_append func_quote_for_eval_unquoted_result " $_G_unquoted_arg" else @@ -2188,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-6 + version: $progname $scriptversion Debian-2.4.6-10 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` @@ -5397,8 +5350,7 @@ if test \"\$libtool_execute_magic\" != \"$magic\"; then file=\"\$0\"" - func_quote "$ECHO" - qECHO=$func_quote_result + qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` $ECHO "\ # A function that is used when there is no print builtin or printf. @@ -7415,10 +7367,11 @@ # -specs=* GCC specs files # -stdlib=* select c++ std lib with clang # -fsanitize=* Clang/GCC memory and address sanitizer + # -fuse-ld=* Linker select flags for GCC -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ - -specs=*|-fsanitize=*) + -specs=*|-fsanitize=*|-fuse-ld=*) func_quote_for_eval "$arg" arg=$func_quote_for_eval_result func_append compile_command " $arg" @@ -10655,8 +10608,8 @@ relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi done - func_quote "(cd `pwd`; $relink_command)" - relink_command=$func_quote_result + relink_command="(cd `pwd`; $relink_command)" + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` fi # Only actually do things if not in dry run mode. @@ -10902,8 +10855,7 @@ done # Quote the link command for shipping. relink_command="(cd `pwd`; $SHELL \"$progpath\" $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - func_quote "$relink_command" - relink_command=$func_quote_result + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` if test yes = "$hardcode_automatic"; then relink_command= fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/m4/libtool.m4 new/nghttp2-1.39.2/m4/libtool.m4 --- old/nghttp2-1.39.1/m4/libtool.m4 2019-06-11 16:23:08.000000000 +0200 +++ new/nghttp2-1.39.2/m4/libtool.m4 2019-08-14 01:29:17.000000000 +0200 @@ -4704,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/python/Makefile.in new/nghttp2-1.39.2/python/Makefile.in --- old/nghttp2-1.39.1/python/Makefile.in 2019-06-11 16:23:11.000000000 +0200 +++ new/nghttp2-1.39.2/python/Makefile.in 2019-08-14 01:29:21.000000000 +0200 @@ -449,8 +449,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@ENABLE_PYTHON_BINDINGS_FALSE@install-exec-local: @ENABLE_PYTHON_BINDINGS_FALSE@uninstall-local: +@ENABLE_PYTHON_BINDINGS_FALSE@install-exec-local: @ENABLE_PYTHON_BINDINGS_FALSE@clean-local: clean: clean-am diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/src/HttpServer.cc new/nghttp2-1.39.2/src/HttpServer.cc --- old/nghttp2-1.39.1/src/HttpServer.cc 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/src/HttpServer.cc 2019-08-14 01:28:42.000000000 +0200 @@ -650,6 +650,7 @@ } return -1; } + break; } return write_(*this); @@ -775,6 +776,7 @@ } return -1; } + break; } fin: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/src/shrpx_client_handler.cc new/nghttp2-1.39.2/src/shrpx_client_handler.cc --- old/nghttp2-1.39.1/src/shrpx_client_handler.cc 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/src/shrpx_client_handler.cc 2019-08-14 01:28:43.000000000 +0200 @@ -111,6 +111,7 @@ int ClientHandler::noop() { return 0; } int ClientHandler::read_clear() { + auto should_break = false; rb_.ensure_chunk(); for (;;) { if (rb_.rleft() && on_read() != 0) { @@ -123,7 +124,7 @@ return 0; } - if (!ev_is_active(&conn_.rev)) { + if (!ev_is_active(&conn_.rev) || should_break) { return 0; } @@ -141,6 +142,7 @@ } rb_.write(nread); + should_break = true; } } @@ -205,6 +207,8 @@ } int ClientHandler::read_tls() { + auto should_break = false; + ERR_clear_error(); rb_.ensure_chunk(); @@ -221,7 +225,7 @@ return 0; } - if (!ev_is_active(&conn_.rev)) { + if (!ev_is_active(&conn_.rev) || should_break) { return 0; } @@ -239,6 +243,7 @@ } rb_.write(nread); + should_break = true; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/src/shrpx_downstream.cc new/nghttp2-1.39.2/src/shrpx_downstream.cc --- old/nghttp2-1.39.1/src/shrpx_downstream.cc 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/src/shrpx_downstream.cc 2019-08-14 01:28:43.000000000 +0200 @@ -144,7 +144,8 @@ request_header_sent_(false), accesslog_written_(false), new_affinity_cookie_(false), - blocked_request_data_eof_(false) { + blocked_request_data_eof_(false), + expect_100_continue_(false) { auto &timeoutconf = get_config()->http2.timeout; @@ -857,6 +858,11 @@ chunked_request_ = true; } } + + auto expect = req_.fs.header(http2::HD_EXPECT); + expect_100_continue_ = + expect && + util::strieq(expect->value, StringRef::from_lit("100-continue")); } void Downstream::inspect_http1_response() { @@ -1159,4 +1165,8 @@ void Downstream::set_ws_key(const StringRef &key) { ws_key_ = key; } +bool Downstream::get_expect_100_continue() const { + return expect_100_continue_; +} + } // namespace shrpx diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/src/shrpx_downstream.h new/nghttp2-1.39.2/src/shrpx_downstream.h --- old/nghttp2-1.39.1/src/shrpx_downstream.h 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/src/shrpx_downstream.h 2019-08-14 01:28:43.000000000 +0200 @@ -511,6 +511,8 @@ void set_ws_key(const StringRef &key); + bool get_expect_100_continue() const; + enum { EVENT_ERROR = 0x1, EVENT_TIMEOUT = 0x2, @@ -602,6 +604,8 @@ // true if eof is received from client before sending header fields // to backend. bool blocked_request_data_eof_; + // true if request contains "expect: 100-continue" header field. + bool expect_100_continue_; }; } // namespace shrpx diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/src/shrpx_http_downstream_connection.cc new/nghttp2-1.39.2/src/shrpx_http_downstream_connection.cc --- old/nghttp2-1.39.1/src/shrpx_http_downstream_connection.cc 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/src/shrpx_http_downstream_connection.cc 2019-08-14 01:28:43.000000000 +0200 @@ -694,7 +694,8 @@ // enables us to send headers and data in one writev system call. if (req.method == HTTP_CONNECT || downstream_->get_blocked_request_buf()->rleft() || - (!req.http2_expect_body && req.fs.content_length == 0)) { + (!req.http2_expect_body && req.fs.content_length == 0) || + downstream_->get_expect_100_continue()) { signal_write(); } @@ -1177,6 +1178,19 @@ auto buf = downstream_->get_blocked_request_buf(); buf->reset(); + // upstream->resume_read() might be called in + // write_tls()/write_clear(), but before blocked_request_buf_ is + // reset. So upstream read might still be blocked. Let's do it + // again here. + auto input = downstream_->get_request_buf(); + if (input->rleft() == 0) { + auto upstream = downstream_->get_upstream(); + auto &req = downstream_->request(); + + upstream->resume_read(SHRPX_NO_BUFFER, downstream_, + req.unconsumed_body_length); + } + return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/src/shrpx_https_upstream.cc new/nghttp2-1.39.2/src/shrpx_https_upstream.cc --- old/nghttp2-1.39.1/src/shrpx_https_upstream.cc 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/src/shrpx_https_upstream.cc 2019-08-14 01:28:43.000000000 +0200 @@ -505,9 +505,7 @@ // and let them decide whether responds with 100 Continue or not. // For alternative mode, we have no backend, so just send 100 // Continue here to make the client happy. - auto expect = req.fs.header(http2::HD_EXPECT); - if (expect && - util::strieq(expect->value, StringRef::from_lit("100-continue"))) { + if (downstream->get_expect_100_continue()) { auto output = downstream->get_response_buf(); constexpr auto res = StringRef::from_lit("HTTP/1.1 100 Continue\r\n\r\n"); output->append(res); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nghttp2-1.39.1/tests/nghttp2_session_test.c new/nghttp2-1.39.2/tests/nghttp2_session_test.c --- old/nghttp2-1.39.1/tests/nghttp2_session_test.c 2019-06-11 16:22:51.000000000 +0200 +++ new/nghttp2-1.39.2/tests/nghttp2_session_test.c 2019-08-14 01:28:43.000000000 +0200 @@ -10002,7 +10002,7 @@ buf = &bufs.head->buf; - for (i = 0; i < NGHTTP2_MAX_OBQ_FLOOD_ITEM; ++i) { + for (i = 0; i < NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++i) { CU_ASSERT( (ssize_t)nghttp2_buf_len(buf) == nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf))); @@ -10024,7 +10024,7 @@ buf = &bufs.head->buf; - for (i = 0; i < NGHTTP2_MAX_OBQ_FLOOD_ITEM; ++i) { + for (i = 0; i < NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++i) { CU_ASSERT( (ssize_t)nghttp2_buf_len(buf) == nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)));
