We have released nghttp2 v1.31.1.

This release addresses following security issue.

Security Advisory

CVE-2018-1000168: Denial of service due to NULL pointer dereference.

Vulnerability

If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault.

ALTSVC frame is defined by RFC 7838.

The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability.

ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame.

Affected Versions

• Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
• Not affected versions: nghttp2 >= 1.31.1

The Solution

Upgrade to nghttp2 v1.31.1.

If the upgrade cannot be possible:

For client, disable ALTSVC, removing the call to nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)

For server, because it is never expected to receive ALTSVC, just remove nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Time Line

It was first reported to the nghttp2 team April 4 2018.

nghttp2 v1.31.1 was released on April 12 2018.

Credits

Reported by Jordan Zebor at F5 Networks, and James M Snell from Node.js project. Fixed by the nghttp2 team.

Thank you for all who involved.

This security advisory format is inspired from curl/libcurl project.

We have released nghttp2 v1.31.0.

lib

nghttp2_session_set_user_data() is added to set new user data to nghttp2_session.

nghttpx

The option --verify-client-tolerate-expired has been added, which makes nghttpx accept expired client certificate.

tls_client_not_before, and tls_client_not_after are now available to mruby scripting. They return NotBefore, and NotAfter of client certificate respectively.

We have released nghttp2 v1.30.0.

lib

This release fixes the bug so that PING frame can be sent after GOAWAY.

nghttpx

This release fixes the bug that set_header method in mruby script wrongly overwrites other header fields.

upgrade-scheme parameter has been added to backend option to workaround the issue that a backend server requires that HTTP/2 :scheme pseudo header field value should be https.

This release fixes the bug that ALPN validation does not occur if client does not send TLS ALPN extension.

To more compliant to RFC 8297, nghttpx now remembers which resource is pushed per a single request.

We have released nghttp2 v1.29.0.

lib

NGHTTP2_REFUSED_STREAM is now used as an error code passed to nghttp2_on_stream_close_callback for streams which are closed by GOAWAY to indicate that they are safely retried.

build

SPDY related code was completely removed.

nghttpx

The commit which breaks load balancing among HTTP/2 backend in some situations has been reverted.

The default value of --api-max-request-body option has been increased to 32MiB.

The time to load the large number of backend options has been greatly improved.

The crash with --backend-http-proxy-uri option has been fixed.

We have released nghttp2 v1.28.0.

lib

nghttp2_error_callback2 callback function has been added. It is an extended version of the existing nghttp2_error_callback. The new callback takes a new parameter which indicates the error code. nghttp2_error_callback is now deprecated.

build

This release officially deprecates spdylay support. The next release, v1.29.0, will remove all SPDY related code.

nghttpx

Cookie based session affinity has been implemented. To use cookie based session affinity, specify affinity=cookie in backend option. affinity-cookie-name parameter must also be specified to specify a name of cookie. affinity-cookie-path and affinity-cookie-secure control a path and secure attributes of cookie respectively.

The bug that backend connection might be stalled on retry has been fixed.

The existing TLS related variables available to the access log are now exposed to mruby Env object. This release also adds new TLS related variables: $tls_client_fingerprint_sha256, $tls_client_fingerprint_sha1, $tls_client_subject_name, $tls_client_issuer_name, and $tls_client_serial. They are available to both mruby, and the access log.

We have released nghttp2 v1.27.0.

build

LazyHamster fixed accidental compiler flags concatenation for MSVC.

Mike Lothian sent us a patch to reduce libxml2 version requirement to 2.6.26.

libnghttp2_asio

Daniel Evers added libnghttp2_asio support for Windows / MinGW.

h2load

HTTP/2 header fields are now printed with --verbose option.

nghttpx

An HTTP non-final response is now sent to HTTP/1.1 or HTTP/2 client only.

We have released nghttp2 v1.26.0.

h2load

Soham Sinha added timing-based load-testing in h2load. This new method performs load-testing in terms of a given duration instead of a pre-defined number of requests. The new option --duration specifies how long the load-testing takes. For example, --duration=10 makes h2load perform load-testing against a server for 10 seconds. You can also specify a “warming-up” period with --warm-up-time. If --duration is used, -n option is ignored.

We have released nghttp2 v1.25.0.

Library

Anna Henningsen added nghttp2_rcbuf_is_static() API function which checks whether the underlying buffer is statically allocated or not to save extra allocation.

nghttpx

mruby has been updated to v1.3.0.

The bug that forwarded header field was not affected by proxy protocol was fixed.

We have released nghttp2 v1.24.0.

Documentation

We have received several patches to fix grammer and typos.

The broken out-of-tree build has been also fixed.

nghttp

We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.

nghttpx

The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.

We have released nghttp2 v1.23.1.

This release fixes the bug which makes nghttpx crash in OCSP response verification with certain kind of OCSP response.