UbuntuUpdates.org

Package "nghttp2-proxy"

Name: nghttp2-proxy

Description:

reverse proxy implementing HTTP/2 protocol

Latest version: 1.43.0-1ubuntu0.4
Release: jammy (22.04)
Level: security
Repository: universe
Head package: nghttp2
Homepage: https://nghttp2.org/

Links


Download "nghttp2-proxy"


Other versions of "nghttp2-proxy" in Jammy

Repository Area Version
base universe 1.43.0-1build3
updates universe 1.43.0-1ubuntu0.4

Changelog

Version: 1.43.0-1ubuntu0.4 2026-07-02 15:07:34 UTC

  nghttp2 (1.43.0-1ubuntu0.4) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP request/response smuggling issue
    - debian/patches/CVE-2026-58055-pre1.patch: nghttpx: Remove trailing white
      spaces from HTTP/1.1 fields in src/shrpx-unittest.cc,
      src/shrpx_downstream.h, src/shrpx_http_downstream_connection.cc,
      src/shrpx_https_upstream.cc, src/util.cc, src/util.h, src/util_test.cc,
      src/util_test.h.
    - debian/patches/CVE-2026-58055-pre2.patch: nghttpx: Stricter transfer-
      encoding checks in integration-tests/nghttpx_http1_test.go, src/http2.cc,
      src/http2.h, src/http2_test.cc, src/http2_test.h, src/shrpx-unittest.cc,
      src/shrpx_downstream.cc, src/shrpx_http_downstream_connection.cc,
      src/shrpx_https_upstream.cc.
    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP
      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,
      src/shrpx_http2_upstream.cc, src/shrpx_http_downstream_connection.cc,
      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.
    - CVE-2026-58055

 -- Marc Deslauriers <email address hidden> Tue, 30 Jun 2026 13:21:48 -0400

Source diff to previous version
CVE-2026-58055 nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-ali

Version: 1.43.0-1ubuntu0.3 2026-05-07 15:07:34 UTC

  nghttp2 (1.43.0-1ubuntu0.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service through assertion failure.
    - debian/patches/CVE-2026-27135-pre1.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135-pre2.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135-post1.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - CVE-2026-27135

 -- Hlib Korzhynskyy <email address hidden> Tue, 28 Apr 2026 16:49:21 -0230

Source diff to previous version
CVE-2026-27135 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incomi

Version: 1.43.0-1ubuntu0.2 2024-04-26 00:07:11 UTC

  nghttp2 (1.43.0-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 protocol denial of service
    - debian/patches/CVE-2024-28182-1.patch: Add
      nghttp2_option_set_max_continuations
    - debian/patches/CVE-2024-28182-2.patch: Limit CONTINUATION frames
      following an incoming HEADER frame
    - CVE-2024-28182

 -- Fabian Toepfer <email address hidden> Thu, 18 Apr 2024 09:14:38 +0200

Source diff to previous version
CVE-2024-28182 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbound

Version: 1.43.0-1ubuntu0.1 2023-11-22 16:07:06 UTC

  nghttp2 (1.43.0-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 protocol denial of service
    - debian/patches/CVE-2023-44487.patch: implement stream reset rate
      limiting.
    - CVE-2023-44487

 -- Marc Deslauriers <email address hidden> Wed, 11 Oct 2023 13:50:35 -0400

CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consum ...



About   -   Send Feedback to @ubuntu_updates