1.14.2 (June 8, 2020)

Changes

  • http: fixed CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters.

  • http: the stream_idle_timeout now also defends against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.

  • listener: Add runtime support for per-listener limits on active/accepted connections.

  • overload management: Add runtime support for global limits on active/accepted connections.