UbuntuUpdates.org

Package "nghttp2"

Name: nghttp2

Description:

server, proxy and client implementing HTTP/2

Latest version: 1.59.0-1ubuntu0.4
Release: noble (24.04)
Level: security
Repository: universe
Homepage: https://nghttp2.org/

Links


Download "nghttp2"


Other versions of "nghttp2" in Noble

Repository Area Version
base universe 1.59.0-1build4
base main 1.59.0-1build4
security main 1.59.0-1ubuntu0.4
updates main 1.59.0-1ubuntu0.4
updates universe 1.59.0-1ubuntu0.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.59.0-1ubuntu0.4 2026-07-02 15:07:37 UTC

  nghttp2 (1.59.0-1ubuntu0.4) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP request/response smuggling issue
    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP
      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,
      src/shrpx_http2_upstream.cc, src/shrpx_http3_upstream.cc,
      src/shrpx_http_downstream_connection.cc,
      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.
    - CVE-2026-58055

 -- Marc Deslauriers <email address hidden> Tue, 30 Jun 2026 12:44:46 -0400

Source diff to previous version
CVE-2026-58055 nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-ali

Version: 1.59.0-1ubuntu0.3 2026-05-05 18:07:36 UTC

  nghttp2 (1.59.0-1ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: Denial of service through assertion failure.
    - debian/patches/CVE-2026-27135-pre1.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135-pre2.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135-post1.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - CVE-2026-27135

 -- Hlib Korzhynskyy <email address hidden> Mon, 27 Apr 2026 17:35:02 -0230

Source diff to previous version
CVE-2026-27135 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incomi

Version: 1.59.0-1ubuntu0.1 2024-05-07 17:07:19 UTC

  nghttp2 (1.59.0-1ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 protocol denial of service
    - debian/patches/CVE-2024-28182-1.patch: Add
      nghttp2_option_set_max_continuations
    - debian/patches/CVE-2024-28182-2.patch: Limit CONTINUATION frames
      following an incoming HEADER frame
    - CVE-2024-28182

 -- Fabian Toepfer <email address hidden> Mon, 06 May 2024 18:02:10 +0200

CVE-2024-28182 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbound



About   -   Send Feedback to @ubuntu_updates