Register | Log in

nghttp2

server, proxy and client implementing HTTP/2

Choose email to subscribe with

general

source: nghttp2 (main)
version: 1.68.0-2
maintainer: Tomasz Buchert (DMD)
uploaders: Ondřej Surý [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.43.0-1+deb11u1
o-o-sec: 1.43.0-1+deb11u2
oldstable: 1.52.0-1+deb12u2
old-sec: 1.52.0-1+deb12u1
stable: 1.64.0-1.1
testing: 1.68.0-2
unstable: 1.68.0-2

versioned links

1.43.0-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.43.0-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.52.0-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.52.0-1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.64.0-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.68.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnghttp2-14
libnghttp2-dev (1 bugs: 0, 0, 1, 0)
libnghttp2-doc
nghttp2
nghttp2-client
nghttp2-proxy
nghttp2-server

action needed

A new upstream version is available: 1.68.1 high

A new upstream version 1.68.1 is available, you should consider packaging it.

Created: 2026-03-21 Last update: 2026-03-29 05:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Created: 2026-03-19 Last update: 2026-03-20 17:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Created: 2026-03-19 Last update: 2026-03-20 17:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Created: 2026-03-19 Last update: 2026-03-20 17:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Created: 2026-03-19 Last update: 2026-03-20 17:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Created: 2026-03-19 Last update: 2026-03-20 17:30

lintian reports 11 warnings normal

Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-02-26 Last update: 2026-02-26 05:01

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2026-02-21 09:32

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 1.68.0-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-02-26 11:00

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2026-03-08] nghttp2 1.68.0-2 MIGRATED to testing (Debian testing watch)
[2026-02-24] Accepted nghttp2 1.68.0-2 (source) into unstable (Tomasz Buchert)
[2026-02-07] Accepted nghttp2 1.68.0-1 (source) into unstable (Tomasz Buchert)
[2025-04-27] nghttp2 1.64.0-1.1 MIGRATED to testing (Debian testing watch)
[2025-04-16] Accepted nghttp2 1.64.0-1.1 (source) into unstable (Maximiliano Curia)
[2024-11-01] nghttp2 1.64.0-1 MIGRATED to testing (Debian testing watch)
[2024-10-29] Accepted nghttp2 1.64.0-1 (source) into unstable (Tomasz Buchert)
[2024-09-29] Accepted nghttp2 1.52.0-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-09-27] Accepted nghttp2 1.43.0-1+deb11u2 (source) into oldstable-security (Adrian Bunk)
[2024-09-03] nghttp2 1.63.0-1 MIGRATED to testing (Debian testing watch)
[2024-09-01] Accepted nghttp2 1.63.0-1 (source) into unstable (Tomasz Buchert)
[2024-07-14] nghttp2 1.62.1-2 MIGRATED to testing (Debian testing watch)
[2024-07-10] Accepted nghttp2 1.62.1-2 (source) into unstable (Tomasz Buchert)
[2024-06-13] nghttp2 1.62.1-1 MIGRATED to testing (Debian testing watch)
[2024-06-08] Accepted nghttp2 1.62.1-1 (source) into unstable (Tomasz Buchert)
[2024-05-03] nghttp2 1.61.0-1 MIGRATED to testing (Debian testing watch)
[2024-04-30] Accepted nghttp2 1.36.0-2+deb10u3 (source) into oldoldstable (Guilhem Moulin)
[2024-04-04] Accepted nghttp2 1.61.0-1 (source) into unstable (Tomasz Buchert)
[2024-03-29] Accepted nghttp2 1.60.0-1 (source) into unstable (Tomasz Buchert)
[2024-02-07] nghttp2 1.59.0-1 MIGRATED to testing (Debian testing watch)
[2024-02-02] Accepted nghttp2 1.59.0-1 (source) into unstable (Tomasz Buchert)
[2023-12-13] Accepted nghttp2 1.43.0-1+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2023-12-02] Accepted nghttp2 1.52.0-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2023-12-01] Accepted nghttp2 1.52.0-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2023-12-01] Accepted nghttp2 1.43.0-1+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2023-11-08] nghttp2 1.58.0-1 MIGRATED to testing (Debian testing watch)
[2023-11-04] Accepted nghttp2 1.58.0-1 (source) into unstable (Tomasz Buchert)
[2023-10-17] nghttp2 1.57.0-1 MIGRATED to testing (Debian testing watch)
[2023-10-16] Accepted nghttp2 1.36.0-2+deb10u2 (source) into oldoldstable (Sean Whitton)
[2023-10-15] Accepted nghttp2 1.57.0-1 (source) into unstable (Tomasz Buchert)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 11)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.68.0-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing