UbuntuUpdates.org

Package "libnghttp2-14"

Name: libnghttp2-14

Description:

library implementing HTTP/2 protocol (shared library)

Latest version: 1.68.0-2ubuntu0.2
Release: resolute (26.04)
Level: security
Repository: main
Head package: nghttp2
Homepage: https://nghttp2.org/

Links


Download "libnghttp2-14"


Other versions of "libnghttp2-14" in Resolute

Repository Area Version
base main 1.68.0-2
updates main 1.68.0-2ubuntu0.2

Changelog

Version: 1.68.0-2ubuntu0.2 2026-07-02 15:07:41 UTC

  nghttp2 (1.68.0-2ubuntu0.2) resolute-security; urgency=medium

  * SECURITY UPDATE: HTTP request/response smuggling issue
    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP
      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,
      src/shrpx_http2_upstream.cc, src/shrpx_http3_upstream.cc,
      src/shrpx_http_downstream_connection.cc,
      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.
    - CVE-2026-58055

 -- Marc Deslauriers <email address hidden> Tue, 30 Jun 2026 12:37:58 -0400

Source diff to previous version
CVE-2026-58055 nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-ali

Version: 1.68.0-2ubuntu0.1 2026-05-06 20:07:47 UTC

  nghttp2 (1.68.0-2ubuntu0.1) resolute-security; urgency=medium

  * SECURITY UPDATE: Denial of service through assertion failure.
    - debian/patches/CVE-2026-27135.patch: Add iframe->state ==
      NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.
    - CVE-2026-27135

 -- Hlib Korzhynskyy <email address hidden> Tue, 05 May 2026 15:08:54 -0230

CVE-2026-27135 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incomi



About   -   Send Feedback to @ubuntu_updates