Debian Patches

Status for nghttp2/1.64.0-1.1+deb13u1

Patch Description Author Forwarded Bugs Origin Last update
0002-Workaround-for-963648.patch Workaround for #963648. Tomasz Buchert <tomasz@debian.org> no 2020-08-16
0002-add-munit-explicitly.patch add munit explicitly Tomasz Buchert <tomasz@debian.org> no 2024-03-29
lp-2104171-avoid-rubydomain-namespace.patch Fix FTBFS due to rubydomain namespace Fixes FTBFS due to: "Could not import extension rubydomain.rubydomain"
(exception: No module named 'pkg_resources')		 Lukas Märdian <slyon@ubuntu.com> yes debian vendor, Ubuntu 2025-03-27
CVE-2026-27135.patch Fix missing iframe->state validations to avoid assertion failure Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> no upstream, https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 2026-02-18
CVE-2026-27135-test.patch Add tests for iframe->state validation
nghttp2 version where pending_no_rfc7540_priorities does not exist anymore.
Here, it defaults to UINT8_MAX, which causes
session_no_rfc7540_pri_no_fallback() to return false. This makes the
PRIORITY_UPDATE frame get silently ignored (routed to IB_IGN_PAYLOAD) instead
of being processed through session_process_priority_update_frame(). The
on_frame_recv_callback never fires, terminate_session() is never called, and
session_inbound_frame_reset() resets the state to IB_READ_HEAD (2) instead of
preserving IB_IGN_ALL (15). Therefore, we added
session->pending_no_rfc7540_priorities = 1; after creating the server session
in both PRIORITY_UPDATE sub-tests so the frame is actually processed.		 Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> no backport, https://github.com/nghttp2/nghttp2/commit/c619c7be0737ac78051b1cacf4b1ce5467eb838d 2026-02-18

All known versions for source package 'nghttp2'

Links