diff --git a/.gitignore b/.gitignore index 749452c..adc5f50 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -nghttp2-1.64.0.tar.xz +nghttp2-1.68.0.tar.xz diff --git a/0001-nghttp2-1.64.0-CVE-2026-27135.patch b/0001-nghttp2-1.64.0-CVE-2026-27135.patch deleted file mode 100644 index 289bce8..0000000 --- a/0001-nghttp2-1.64.0-CVE-2026-27135.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 824299d70585afb2fdf7b87ac144343529ee32ae Mon Sep 17 00:00:00 2001 -From: Tatsuhiro Tsujikawa -Date: Wed, 18 Feb 2026 22:40:57 +0900 -Subject: [PATCH] CVE-2026-27135 - -Check nghttp2_is_fatal first - -(cherry picked from commit 68f77a347544c207eeff7ff7457284697ccf7f7d) - -Fix missing iframe->state validations to avoid assertion failure - -(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1) ---- - lib/nghttp2_session.c | 48 +++++++++++++++++++++++++++++++++++-------- - 1 file changed, 40 insertions(+), 8 deletions(-) - -diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c -index df33a89e..01ed39fb 100644 ---- a/lib/nghttp2_session.c -+++ b/lib/nghttp2_session.c -@@ -5980,6 +5980,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - busy = 1; - - rv = session_on_data_received_fail_fast(session); -+ if (nghttp2_is_fatal(rv)) { -+ return rv; -+ } -+ - if (iframe->state == NGHTTP2_IB_IGN_ALL) { - return (nghttp2_ssize)inlen; - } -@@ -5990,10 +5994,6 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - break; - } - -- if (nghttp2_is_fatal(rv)) { -- return rv; -- } -- - rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd); - if (rv < 0) { - rv = nghttp2_session_terminate_session_with_reason( -@@ -6063,6 +6063,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - return rv; - } - -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } -+ - on_begin_frame_called = 1; - - rv = session_process_headers_frame(session); -@@ -6429,6 +6433,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - if (nghttp2_is_fatal(rv)) { - return rv; - } -+ -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } - } - } - -@@ -6684,6 +6692,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - return rv; - } - -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } -+ - session_inbound_frame_reset(session); - - break; -@@ -6986,6 +6998,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - if (nghttp2_is_fatal(rv)) { - return rv; - } -+ -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } - } else { - iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK; - } -@@ -7151,13 +7167,17 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - rv = session->callbacks.on_data_chunk_recv_callback( - session, iframe->frame.hd.flags, iframe->frame.hd.stream_id, - in - readlen, (size_t)data_readlen, session->user_data); -- if (rv == NGHTTP2_ERR_PAUSE) { -- return (nghttp2_ssize)(in - first); -- } -- - if (nghttp2_is_fatal(rv)) { - return NGHTTP2_ERR_CALLBACK_FAILURE; - } -+ -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } -+ -+ if (rv == NGHTTP2_ERR_PAUSE) { -+ return (nghttp2_ssize)(in - first); -+ } - } - } - } -@@ -7237,6 +7257,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - return rv; - } - -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } -+ - if (rv != 0) { - busy = 1; - -@@ -7255,6 +7279,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - return rv; - } - -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } -+ - session_inbound_frame_reset(session); - - break; -@@ -7283,6 +7311,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, - return rv; - } - -+ if (iframe->state == NGHTTP2_IB_IGN_ALL) { -+ return (nghttp2_ssize)inlen; -+ } -+ - session_inbound_frame_reset(session); - - break; --- -2.53.0 - diff --git a/0001-nghttp2-1.68.0-Check-nghttp2_is_fatal-first.patch b/0001-nghttp2-1.68.0-Check-nghttp2_is_fatal-first.patch new file mode 100644 index 0000000..4088026 --- /dev/null +++ b/0001-nghttp2-1.68.0-Check-nghttp2_is_fatal-first.patch @@ -0,0 +1,57 @@ +From 76ff93e618a763501dfa136a8aef16fd7ba51d62 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Wed, 18 Feb 2026 22:40:57 +0900 +Subject: [PATCH 1/2] Check nghttp2_is_fatal first + +(cherry picked from commit 68f77a347544c207eeff7ff7457284697ccf7f7d) +--- + lib/nghttp2_session.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 1f4ea54c..bcea5473 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -5466,6 +5466,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + busy = 1; + + rv = session_on_data_received_fail_fast(session); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ + if (iframe->state == NGHTTP2_IB_IGN_ALL) { + return (nghttp2_ssize)inlen; + } +@@ -5486,10 +5490,6 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + break; + } + +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- + rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd); + if (rv < 0) { + rv = nghttp2_session_terminate_session_with_reason( +@@ -6771,13 +6771,13 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + rv = session->callbacks.on_data_chunk_recv_callback( + session, iframe->frame.hd.flags, iframe->frame.hd.stream_id, + in - readlen, (size_t)data_readlen, session->user_data); +- if (rv == NGHTTP2_ERR_PAUSE) { +- return (nghttp2_ssize)(in - first); +- } +- + if (nghttp2_is_fatal(rv)) { + return NGHTTP2_ERR_CALLBACK_FAILURE; + } ++ ++ if (rv == NGHTTP2_ERR_PAUSE) { ++ return (nghttp2_ssize)(in - first); ++ } + } + } + } +-- +2.53.0 + diff --git a/0002-nghttp2-1.68.0-Fix-missing-iframe-state-validations-to-avoid-assert.patch b/0002-nghttp2-1.68.0-Fix-missing-iframe-state-validations-to-avoid-assert.patch new file mode 100644 index 0000000..792102c --- /dev/null +++ b/0002-nghttp2-1.68.0-Fix-missing-iframe-state-validations-to-avoid-assert.patch @@ -0,0 +1,106 @@ +From b21342258a0674686627e98aa2c76e53b2da723b Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Wed, 18 Feb 2026 18:04:30 +0900 +Subject: [PATCH 2/2] Fix missing iframe->state validations to avoid assertion + failure + +(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1) +--- + lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index bcea5473..0fbcc930 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -5573,6 +5573,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + on_begin_frame_called = 1; + + rv = session_process_headers_frame(session); +@@ -6041,6 +6045,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } + } + +@@ -6293,6 +6301,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6599,6 +6611,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } else { + iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK; + } +@@ -6775,6 +6791,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return NGHTTP2_ERR_CALLBACK_FAILURE; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + if (rv == NGHTTP2_ERR_PAUSE) { + return (nghttp2_ssize)(in - first); + } +@@ -6861,6 +6881,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + if (rv != 0) { + busy = 1; + +@@ -6879,6 +6903,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6907,6 +6935,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +-- +2.53.0 + diff --git a/0100-nghttp2-1.64.0-pqc-add-X25519MLKEM768-as-the-default-TLS-key-exchan.patch b/0100-nghttp2-1.64.0-pqc-add-X25519MLKEM768-as-the-default-TLS-key-exchan.patch new file mode 100644 index 0000000..cd94324 --- /dev/null +++ b/0100-nghttp2-1.64.0-pqc-add-X25519MLKEM768-as-the-default-TLS-key-exchan.patch @@ -0,0 +1,145 @@ +From baad2c45f30e31566c08d393779e4e9517ce7c80 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 10 Feb 2026 13:06:41 +0100 +Subject: [PATCH] pqc: add X25519MLKEM768 as the default TLS key exchange group + +Prioritize X25519MLKEM768 (post-quantum hybrid key exchange) in the +default groups configuration for enhanced security against future +quantum computing threats. + +The new default groups order is: +X25519MLKEM768:X25519:P-256:P-384:P-521 + +Signed-off-by: Jan Macku +--- + doc/h2load.1 | 2 +- + doc/h2load.1.rst | 2 +- + doc/nghttpd.1 | 2 +- + doc/nghttpd.1.rst | 2 +- + doc/nghttpx.1 | 2 +- + doc/nghttpx.1.rst | 2 +- + src/HttpServer.cc | 2 +- + src/h2load.cc | 2 +- + src/shrpx.cc | 2 +- + 9 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/doc/h2load.1 b/doc/h2load.1 +index 9a86e51..e202b4b 100644 +--- a/doc/h2load.1 ++++ b/doc/h2load.1 +@@ -325,7 +325,7 @@ Specify request per second for each client. \fI\%\-\-rps\fP and + .B \-\-groups= + Specify the supported groups. + .sp +-Default: \fBX25519:P\-256:P\-384:P\-521\fP ++Default: \fBX25519MLKEM768:X25519:P\-256:P\-384:P\-521\fP + .UNINDENT + .INDENT 0.0 + .TP +diff --git a/doc/h2load.1.rst b/doc/h2load.1.rst +index 5f98ec4..4ab9494 100644 +--- a/doc/h2load.1.rst ++++ b/doc/h2load.1.rst +@@ -276,7 +276,7 @@ OPTIONS + + Specify the supported groups. + +- Default: ``X25519:P-256:P-384:P-521`` ++ Default: ``X25519MLKEM768:X25519:P-256:P-384:P-521`` + + .. option:: --no-udp-gso + +diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 +index 2153208..a9e9328 100644 +--- a/doc/nghttpd.1 ++++ b/doc/nghttpd.1 +@@ -207,7 +207,7 @@ Don\(aqt send content\-length header field. + .B \-\-groups= + Specify the supported groups. + .sp +-Default: \fBX25519:P\-256:P\-384:P\-521\fP ++Default: \fBX25519MLKEM768:X25519:P\-256:P\-384:P\-521\fP + .UNINDENT + .INDENT 0.0 + .TP +diff --git a/doc/nghttpd.1.rst b/doc/nghttpd.1.rst +index a4b07a4..2271a00 100644 +--- a/doc/nghttpd.1.rst ++++ b/doc/nghttpd.1.rst +@@ -163,7 +163,7 @@ OPTIONS + + Specify the supported groups. + +- Default: ``X25519:P-256:P-384:P-521`` ++ Default: ``X25519MLKEM768:X25519:P-256:P-384:P-521`` + + .. option:: --ktls + +diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 +index 05b1db6..6b45562 100644 +--- a/doc/nghttpx.1 ++++ b/doc/nghttpx.1 +@@ -731,7 +731,7 @@ in the preference order. The supported curves depend on + the linked OpenSSL library. This function requires + OpenSSL >= 1.0.2. + .sp +-Default: \fBX25519:P\-256:P\-384:P\-521\fP ++Default: \fBX25519MLKEM768:X25519:P\-256:P\-384:P\-521\fP + .UNINDENT + .INDENT 0.0 + .TP +diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst +index 825bd9f..7d5621f 100644 +--- a/doc/nghttpx.1.rst ++++ b/doc/nghttpx.1.rst +@@ -683,7 +683,7 @@ SSL/TLS + the linked OpenSSL library. This function requires + OpenSSL >= 1.0.2. + +- Default: ``X25519:P-256:P-384:P-521`` ++ Default: ``X25519MLKEM768:X25519:P-256:P-384:P-521`` + + .. option:: -k, --insecure + +diff --git a/src/HttpServer.cc b/src/HttpServer.cc +index 47cb4c4..60bcacd 100644 +--- a/src/HttpServer.cc ++++ b/src/HttpServer.cc +@@ -102,7 +102,7 @@ void print_session_id(int64_t id) { std::cout << "[id=" << id << "] "; } + + Config::Config() + : mime_types_file("/etc/mime.types"), +- groups("X25519:P-256:P-384:P-521"sv), ++ groups("X25519MLKEM768:X25519:P-256:P-384:P-521"sv), + stream_read_timeout(1_min), + stream_write_timeout(1_min), + data_ptr(nullptr), +diff --git a/src/h2load.cc b/src/h2load.cc +index a8db23b..6b0ed7d 100644 +--- a/src/h2load.cc ++++ b/src/h2load.cc +@@ -106,7 +106,7 @@ Config::Config() + : ciphers(tls::DEFAULT_CIPHER_LIST), + tls13_ciphers("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_" + "CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256"), +- groups("X25519:P-256:P-384:P-521"), ++ groups("X25519MLKEM768:X25519:P-256:P-384:P-521"), + data_length(-1), + data(nullptr), + addrs(nullptr), +diff --git a/src/shrpx.cc b/src/shrpx.cc +index f92c825..d5f1f61 100644 +--- a/src/shrpx.cc ++++ b/src/shrpx.cc +@@ -1662,7 +1662,7 @@ void fill_default_config(Config *config) { + tlsconf.max_proto_version = + tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION); + tlsconf.max_early_data = 16_k; +- tlsconf.groups = "X25519:P-256:P-384:P-521"sv; ++ tlsconf.groups = "X25519MLKEM768:X25519:P-256:P-384:P-521"sv; + + auto &httpconf = config->http; + httpconf.server_name = "nghttpx"sv; +-- +2.53.0 + diff --git a/nghttp2-1.64.0.tar.xz.asc b/nghttp2-1.64.0.tar.xz.asc deleted file mode 100644 index ceb64a5..0000000 --- a/nghttp2-1.64.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEUWtiKRjRXEeKseo6UzmivoLgfewFAmcWQzsACgkQUzmivoLg -fexT6w/9Eo6PuvGWcYn0e8CbTHDi+BhyCs3AQHPKmuJi19yIeknZd7qcQE1xYryJ -Xef5W1q5+p06kDgFH56Y7wORwCWmtzx5gZLVYNY7qNCCJ0CsMLI2/ypf2L06MLWe -c8dS8DFsvqrSTe3QzPHCP+T7FDp7bfH7gKLoEobhU9v299MseLMUdw06fBTLGqKs -KWhuQ0gD2r1zJfGdX+O5zf97pLYtR/Ch+YGHqcNYCmiIguKpZX+Vg3pHr1vJhqnT -P6LiFVeokI6zeW1YWB0DQNBrGXEx3AZWzR9d9IlA2ijobtItc/lTTUn0zpmqNFiv -E95D29wEQ2MtbCJd/nolIz0YiDn0JpwHBBfkWRNLj7+LqBlebyVwig8nMO453sE9 -vxklm7yONLJDDiU3o8lmUf8IVTX+FpZ3nbbeQkDwTPKU7hvcTojasPMegS4Laiok -sfKIKaMTeYokSD4M++ikyb8c2+Vt4genVIyeUAohlSUhUr4I8E/O36JvfPaA4nTe -S2oNl5iv/0pPQpuXTMcf/MGR3b8HmN0bH4tkowV3sRWLNHeBn6hnlY1sq1ZcegMs -vAqum1CyReyhLfThvXAV7ImjsplNVmshQK4IaXNDYYJyr/wNAgnw41RiO01W+NgX -KbPvx4H1actquW04yYCAAvDcBHfERM71Ye17oTFjoOEeDoQsMJg= -=aykV ------END PGP SIGNATURE----- diff --git a/nghttp2-1.68.0.tar.xz.asc b/nghttp2-1.68.0.tar.xz.asc new file mode 100644 index 0000000..c5a6b6e --- /dev/null +++ b/nghttp2-1.68.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEUWtiKRjRXEeKseo6UzmivoLgfewFAmj8jucACgkQUzmivoLg +fezLZRAAmmSMRcYHElTg8oauwfGSZMxtGfrGEQIAbyFWWWln7pErZ45NZKqTTb6f +5JDx/ZOg8Q7d+EzsEKPt2hzrPrCqeMPt8dLpCRNeAxvAO3kePVpQX/79zIbwth/W +7mjUBSz5nfyAp9soamYBfVAkaUBHKZ0YbtK8Qmn8xErCmjIVd+8X6TrgynQXUdl9 +F3WeY+JaHdSfGoUHuAwG+nU6DSaKcxAyqIBPZ1wN52hAY2LE7AVYSK6cmWETizwG +0wpTJutMYUxaiFQ1ql3ztnKxcap0h2eBgUhvoa/+q7agw23dE/+N8VFg7fUhUd/7 +8l3hXYHhzvVZ1ggDlqMEqIXJFV1NkFro3sO2KQyje3H1upO5oNRuI65exzRt7vCR +tKRSC2HHoThNU5T1OtDIS2CLs6+tGLBkzadBsvPFOe4ULHjUbYPCMAnva29Oozdp +h7GnsaWgwNNaE/RupK8IsoPsN7DuHwvKhEUpvxLlo0Ij7RVgJFQcRLVCLW/BJhXG +75IYsS+pq8bY6qh2Gj+vOKhS0Wgywc0IA0Q4WLT5isTr7m4uloV8ofaTLf/g0eMK +06nv2hhaup6fO81KoYg9R3i8IXEa86InRC/6HINQUJKUp1IqHn5J8pKx+jd6Vy82 +lTmNr2mNtdDdqt1/WCOzaIDyCcvr5AD1lYL4YuG4nEpzWx7clvU= +=pNio +-----END PGP SIGNATURE----- diff --git a/nghttp2.spec b/nghttp2.spec index ab7ecef..99ad3c6 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -6,8 +6,8 @@ Summary: Experimental HTTP/2 client, server and proxy Name: nghttp2 -Version: 1.64.0 -Release: 2%{?dist}.1 +Version: 1.68.0 +Release: 3%{?dist}.1 # Parts of ruby bindings are additionally under GPL-2.0-or-later, MIT and # HPND-Kevlin-Henney but they are NOT shipped. @@ -19,7 +19,12 @@ Source1: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name Source2: tatsuhiro-t.pgp # fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135) -Patch1: 0001-nghttp2-1.64.0-CVE-2026-27135.patch +Patch001: 0001-nghttp2-1.68.0-Check-nghttp2_is_fatal-first.patch +Patch002: 0002-nghttp2-1.68.0-Fix-missing-iframe-state-validations-to-avoid-assert.patch + +# Make X25519MLKEM768 the default TLS key exchange group in nghttpd and nghttpx +# https://issues.redhat.com/browse/RHEL-103655 +Patch100: 0100-nghttp2-1.64.0-pqc-add-X25519MLKEM768-as-the-default-TLS-key-exchan.patch BuildRequires: CUnit-devel BuildRequires: c-ares-devel @@ -175,7 +180,6 @@ popd %{_bindir}/nghttp %{_bindir}/nghttpd %{_bindir}/nghttpx -%{_datadir}/nghttp2 %{_mandir}/man1/h2load.1* %{_mandir}/man1/nghttp.1* %{_mandir}/man1/nghttpd.1* @@ -201,7 +205,6 @@ popd %{mingw32_libdir}/libnghttp2.dll.a %{mingw32_libdir}/pkgconfig/libnghttp2.pc %{mingw32_includedir}/nghttp2/ -%{mingw32_datadir}/nghttp2/ %files -n mingw64-libnghttp2 %license COPYING @@ -210,14 +213,22 @@ popd %{mingw64_libdir}/libnghttp2.dll.a %{mingw64_libdir}/pkgconfig/libnghttp2.pc %{mingw64_includedir}/nghttp2/ -%{mingw64_datadir}/nghttp2/ %endif %changelog -* Thu Apr 09 2026 Jan Macku 1.64.0-2.1 +* Tue Mar 31 2026 Jan Macku 1.68.0-3.1 - fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135) +* Wed Feb 11 2026 Jan Macku 1.68.0-3 +- Spec bump (RHEL-103655) + +* Mon Feb 09 2026 Jan Macku 1.68.0-2 +- PQC: make X25519MLKEM768 the default TLS key exchange group in nghttpd and nghttpx (RHEL-103655) + +* Mon Feb 09 2026 Jan Macku 1.68.0-1 +- update to the latest upstream release (RHEL-143723) + * Tue Oct 29 2024 Troy Dawson - 1.64.0-2 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 diff --git a/sources b/sources index 96ce66f..889412c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (nghttp2-1.64.0.tar.xz) = b544196c3b7a55faacd11700d11e2fe4f16a7418282c9abb24a668544a15293580fd1a2cc5f93367c8a17c7ee45335c6d2f5c68a72dd176d516fd033f203eeec +SHA512 (nghttp2-1.68.0.tar.xz) = a5182c2c54cdff3c70bdad204bff9a573cf7951e189d68665087f047cb79e5fc2d5d5aefbb41e2dfe264e2e74fbbe10196cb596248e328c944406ca09da98344