1.14.3 (June 30, 2020)

Changes

  • buffer: fixed CVE-2020-12603 by avoiding fragmentation, and tracking of HTTP/2 data and control frames in the output buffer.

  • http: fixed CVE-2020-12604 by changing stream_idle_timeout to also defend against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.

  • http: fixed CVE-2020-12605 by including request URL in request header size computation, and rejecting partial headers that exceed configured limits.

  • listener: fixed CVE-2020-8663 by adding runtime support for per-listener limits on active/accepted connections.

  • overload management: fixed CVE-2020-8663 by adding runtime support for global limits on active/accepted connections.