Register | Log in

nghttp2

server, proxy and client implementing HTTP/2

Choose email to subscribe with

general

source: nghttp2 (main)
version: 1.39.2-1
maintainer: Tomasz Buchert (DMD)
uploaders: Ondřej Surý [DMD]
arch: all any
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.6.4-2
oldstable: 1.18.1-1
old-sec: 1.18.1-1+deb9u1
old-p-u: 1.18.1-1+deb9u1
stable: 1.36.0-2
stable-sec: 1.36.0-2+deb10u1
stable-p-u: 1.36.0-2+deb10u1
testing: 1.39.2-1
unstable: 1.39.2-1

versioned links

0.6.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.18.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.18.1-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.36.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.36.0-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.39.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnghttp2-14
libnghttp2-dev
libnghttp2-doc
nghttp2 (1 bugs: 0, 1, 0, 0)
nghttp2-client
nghttp2-proxy
nghttp2-server

action needed

3 security issues in jessie high

There are 3 open security issues in jessie.

2 important issues:

CVE-2019-9511: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9513: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

1 issue skipped by the security teams:

CVE-2016-1544:

Please fix them.

Created: 2016-02-14 Last update: 2019-09-02 02:19

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

nghttp2 could be marked Multi-Arch: foreign
libnghttp2-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2019-09-16 09:03

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-08-21 Last update: 2019-08-21 11:10

1 ignored security issue in stretch low

There is 1 open security issue in stretch.

1 issue skipped by the security teams:

CVE-2018-1000168: nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

Please fix it.

Created: 2018-04-12 Last update: 2019-09-02 02:19

news

[2019-09-07] Accepted nghttp2 1.18.1-1+deb9u1 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Tomasz Buchert)
[2019-09-07] Accepted nghttp2 1.36.0-2+deb10u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Tomasz Buchert)
[2019-09-01] Accepted nghttp2 1.18.1-1+deb9u1 (source amd64 all) into oldstable->embargoed, oldstable (Tomasz Buchert)
[2019-09-01] Accepted nghttp2 1.36.0-2+deb10u1 (source amd64 all) into stable->embargoed, stable (Tomasz Buchert)
[2019-08-18] nghttp2 1.39.2-1 MIGRATED to testing (Debian testing watch)
[2019-08-15] Accepted nghttp2 1.39.2-1 (source) into unstable (Tomasz Buchert)
[2019-07-09] nghttp2 1.37.0-1 MIGRATED to testing (Debian testing watch)
[2019-06-22] Accepted nghttp2 1.39.1-1 (source) into experimental (Tomasz Buchert)
[2019-05-05] Accepted nghttp2 1.38.0-1 (source) into experimental (Tomasz Buchert)
[2019-03-17] Accepted nghttp2 1.37.0-1 (source) into unstable (Tomasz Buchert)
[2019-02-06] nghttp2 1.36.0-2 MIGRATED to testing (Debian testing watch)
[2019-02-03] Accepted nghttp2 1.36.0-2 (source) into unstable (Tomasz Buchert)
[2019-01-26] nghttp2 1.36.0-1 MIGRATED to testing (Debian testing watch)
[2019-01-23] Accepted nghttp2 1.36.0-1 (source) into unstable (Tomasz Buchert)
[2018-12-17] nghttp2 1.35.1-1 MIGRATED to testing (Debian testing watch)
[2018-12-15] Accepted nghttp2 1.35.1-1 (source) into unstable (Tomasz Buchert)
[2018-11-26] Accepted nghttp2 1.35.0-1 (source) into unstable (Tomasz Buchert)
[2018-10-28] nghttp2 1.34.0-1 MIGRATED to testing (Debian testing watch)
[2018-10-11] Accepted nghttp2 1.34.0-1 (source) into unstable (Tomasz Buchert)
[2018-09-06] Accepted nghttp2 1.33.0-1 (source) into unstable (Tomasz Buchert)
[2018-09-01] Accepted nghttp2 1.32.1-1 (source) into unstable (Tomasz Buchert)
[2018-05-22] nghttp2 1.32.0-1 MIGRATED to testing (Debian testing watch)
[2018-05-19] Accepted nghttp2 1.32.0-1 (source) into unstable (Tomasz Buchert)
[2018-04-27] nghttp2 1.31.1-1 MIGRATED to testing (Debian testing watch)
[2018-04-21] Accepted nghttp2 1.31.1-1 (source) into unstable (Tomasz Buchert)
[2018-03-11] nghttp2 1.31.0-1 MIGRATED to testing (Debian testing watch)
[2018-03-05] Accepted nghttp2 1.31.0-1 (source) into unstable (Tomasz Buchert)
[2018-02-17] nghttp2 1.30.0-1 MIGRATED to testing (Debian testing watch)
[2018-02-12] Accepted nghttp2 1.30.0-1 (source) into unstable (Tomasz Buchert)
[2018-01-07] nghttp2 1.29.0-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.39.2-1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing