Fix CVE-2023-44487: The HTTP/2 protocol allows a denial of service
(server resource consumption) because request cancellation can reset
many streams quickly, as exploited in the wild in August through October
2023.
Fix CVE-2023-35945: nghttp2 fails to release memory when PUSH_PROMISE or
HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails
with a fatal error. For example, if GOAWAY frame has been received, a
HEADERS frame that opens new stream cannot be sent.
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqghttps://github.com/nghttp2/nghttp2/security/advisories/GHSA-6pcr-v3hg-752phttps://github.com/nghttp2/nghttp2/compare/v1.41.0...v1.57.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 07c44afc8d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
c2770f7cc3