UbuntuUpdates.org

Package "nghttp2"

Name: nghttp2

Description:

server, proxy and client implementing HTTP/2

Latest version: 1.64.0-1.1ubuntu1.2
Release: questing (25.10)
Level: security
Repository: universe
Homepage: https://nghttp2.org/

Links


Download "nghttp2"


Other versions of "nghttp2" in Questing

Repository Area Version
base main 1.64.0-1.1ubuntu1
base universe 1.64.0-1.1ubuntu1
security main 1.64.0-1.1ubuntu1.2
updates main 1.64.0-1.1ubuntu1.2
updates universe 1.64.0-1.1ubuntu1.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.64.0-1.1ubuntu1.2 2026-07-02 15:07:40 UTC

  nghttp2 (1.64.0-1.1ubuntu1.2) questing-security; urgency=medium

  * SECURITY UPDATE: HTTP request/response smuggling issue
    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP
      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,
      src/shrpx_http2_upstream.cc, src/shrpx_http3_upstream.cc,
      src/shrpx_http_downstream_connection.cc,
      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.
    - CVE-2026-58055

 -- Marc Deslauriers <email address hidden> Tue, 30 Jun 2026 12:43:31 -0400

Source diff to previous version
CVE-2026-58055 nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-ali

Version: 1.64.0-1.1ubuntu1.1 2026-05-05 18:07:38 UTC

  nghttp2 (1.64.0-1.1ubuntu1.1) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of service through assertion failure.
    - debian/patches/CVE-2026-27135-pre1.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135-pre2.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - debian/patches/CVE-2026-27135-post1.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - CVE-2026-27135

 -- Hlib Korzhynskyy <email address hidden> Thu, 23 Apr 2026 16:13:11 -0230

CVE-2026-27135 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incomi



About   -   Send Feedback to @ubuntu_updates