Debian Patches
Status for nghttp2/1.52.0-1+deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Make-fetch-ocsp-response-use-python3.patch | Make fetch-ocsp-response use python3 | Tomasz Buchert <tomasz@debian.org> | no | 2018-01-02 | ||
| 0002-Workaround-for-963648.patch | Workaround for #963648. | Tomasz Buchert <tomasz@debian.org> | no | 2020-08-16 | ||
| CVE-2023-44487.patch | Rework session management | Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | no | 2023-10-01 | ||
| 0001-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch | Limit CONTINUATION frames following an incoming HEADER frame | Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | no | 2024-03-09 | ||
| 0002-Add-nghttp2_option_set_max_continuations.patch | Add nghttp2_option_set_max_continuations | Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | no | 2024-03-09 | ||
| CVE-2026-27135.patch | Fix missing iframe->state validations to avoid assertion failure Backported from upstream commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1. Uses ssize_t instead of nghttp2_ssize, and targets nghttp2_session_mem_recv instead of nghttp2_session_mem_recv2. Also, adding an extra hunk, avoiding an additional assertion, as discovered by the upstream test case. |
Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | no | debian | backport, https://github.com/nghttp2/nghttp2/commit/5c7df8f | 2026-02-18 |
| CVE-2026-27135-test.patch | Add tests for iframe->state validation Converted from munit to CUnit test framework. Changed nghttp2_session_mem_recv2/nghttp2_ssize to nghttp2_session_mem_recv/ssize_t. Added session->pending_no_rfc7540_priorities = 1 for PRIORITY_UPDATE sub-tests because upstream removed the session_no_rfc7540_pri_no_fallback check. to account for the test_nghttp2_session_stream_reset_ratelim entry added by the local CVE-2023-44487.patch in this bookworm source tree. |
Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> | no | backport, https://github.com/nghttp2/nghttp2/commit/c619c7be0737ac78051b1cacf4b1ce5467eb838d | 2026-02-18 |
All known versions for source package 'nghttp2'
- 1.69.0-1 (forky, sid)
- 1.64.0-1.1+deb13u1 (trixie-security, trixie-proposed-updates)
- 1.64.0-1.1 (trixie)
- 1.52.0-1+deb12u3 (bookworm-security, bookworm-proposed-updates)
- 1.52.0-1+deb12u2 (bookworm)