Category: Repository

NGINX 1.25.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.5 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.13.

Apache httpd 2.4.59 with brotli support, TLS 1.3, OpenSSL 3.0.13 with http2, mod_http2 2.0.27 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.59-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.

Important fix: CVE-2024-27316

We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

nghttp2 1.61.0 released fixing CVE-2024-28182

nghttp2 1.61.0 rpms released and added to all platforms.

UPD. EL7 and EL8 also updated with the added patch reverting migrate-to-ares_getaddrinfo changes.

Fixes CVE-2024-28182 nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087 Checkout with submodules by @jonaski in #2093 Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097 Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098 docker: Use copy –link by @tatsuhiro-t in #2099 Nghttpx header idle timeout by @tatsuhiro-t in #2100 nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101 Rewrite hexdump by @tatsuhiro-t in #2102 Switch to distroless/base-nossl by @tatsuhiro-t in #2103 Bump ngtcp2 by @tatsuhiro-t in #2105 nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106 build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107 autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108 Automate release process by @tatsuhiro-t in #2109 autotools: Switch to tar-pax by @tatsuhiro-t in #2110 nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111 nghttpx: Fix port byte order by @tatsuhiro-t in #2112 h2load: Allow host header to be overridden by @tatsuhiro-t in #2113 nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114 nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115 Add actions/stale by @tatsuhiro-t in #2116 nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117 nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119 No rfc7540 priority fix by @tatsuhiro-t in #2120 Further reduce Stateless reset emission by @tatsuhiro-t in #2122 nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124 Nghttpx faster worker lookup by @tatsuhiro-t in #2125 nghttpx: Split thread into worker_process and thread by @tatsuhiro-t in #2126 bpf: Drop bad QUIC packet by @tatsuhiro-t in #2127 cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON by @jimmy-park in #2128 nghttpx: Allocate 3 bits for QUIC configuration in Connection ID by @tatsuhiro-t in #2129 nghttpx: Migrate to ares_getaddrinfo by @tatsuhiro-t in #2132 Bump munit by @tatsuhiro-t in #2131 nghttpx: Fix error message by @tatsuhiro-t in #2133 nghttpd: Fix read stall by @tatsuhiro-t in #2134

ngtcp2 1.4.0 released

ngtcp2 1.4.0 rpms released and added to all supported platforms

Erase sensitive data before freeing memory by @tatsuhiro-t in #1122
Fix compile error with libstdc++6-14 by @tatsuhiro-t in #1123
Make congestion controller use the current path MTU by @tatsuhiro-t in #1124
Reduce malloc call in conn_new by @tatsuhiro-t in #1125
Add missing FindJemalloc.cmake to EXTRA_DIST by @tatsuhiro-t in #1127
Automate release process by @tatsuhiro-t in #1130
Make Path MTU Discovery probes configurable by @tatsuhiro-t in #1128
examples: Add –pmtud-probes option by @tatsuhiro-t in #1132
Accept zero length UDP datagram payload and just return 0 by @tatsuhiro-t in #1134
Deal with the case that send_quantum < max_udp_payload_size by @tatsuhiro-t in #1135
Adjust simpleclient buffer to have default max_tx_udp_payload_size by @tatsuhiro-t in #1136
Document about outgoing UDP datagram payload size by @tatsuhiro-t in #1137
Move ngtcp2_settings_default_versioned to ngtcp2_settings.c by @tatsuhiro-t in #1138
Refactor acktr by @tatsuhiro-t in #1139
Cleanup free functions called from conn_new by @tatsuhiro-t in #1140
Make functions that discard pkns callable from the other source files by @tatsuhiro-t in #1141
Add typed ngtcp2_min and ngtcp2_max functions by @tatsuhiro-t in #1142
Avoid setting 0 after memset by @tatsuhiro-t in #1143
Move ngtcp2_transport_params functions to its own file by @tatsuhiro-t in #1144
Remove unused ngtcp2_conversion_test.c by @tatsuhiro-t in #1145
Move struct version to the last argument by @tatsuhiro-t in #1146
git clone recursive by @tatsuhiro-t in #1147
Update README.rst by @Karthikdasari0423 in #1150
ngtcp2_conn_write_connection_close: Fix assertion failure by @tatsuhiro-t in #1154
Fix assertion failure because of failing dup Connection ID check by @tatsuhiro-t in #1155
fuzz: Add read_write_pkt fuzzer by @tatsuhiro-t in #1156
Workaround llvm issue by @tatsuhiro-t in #1158
fuzz: Add missing include by @tatsuhiro-t in #1159
fuzz: Workaround llvm issue by @tatsuhiro-t in #1160
Add 2 new ngtcp2_ccerr_type values by @tatsuhiro-t in #1161
Add handshake fuzzer by @tatsuhiro-t in #1162
docker: Use copy –link by @tatsuhiro-t in #1163
Bump aws-lc to v1.23.0 by @tatsuhiro-t in #1164
Bump boringssl by @tatsuhiro-t in #1165
Bump picotls by @tatsuhiro-t in #1166
Switch to distroless/base-nossl by @tatsuhiro-t in #1167
Remove debug printf by @tatsuhiro-t in #1168
Add padding to at most 1200 bytes by @tatsuhiro-t in #1169
Add ngtcp2_ppe padding tests by @tatsuhiro-t in #1170

SSH3 0.1.7 test package added

Fast and secure SSH3 (shell over HTTP/3) 0.1.7 test packages (ssh3 client and ssh3-server) added to EL8 testing repo for aarch64 and x86_64.

Please note that name change discussion is in progress (to sshh / shs / soh3 etc).

Project page: https://github.com/francoismichel/ssh3/

These packages also can be installed to EL9 and Fedora. At the build time, Golang 1.21 is a hard requirement and only 1.20 is easily available on AlmaLinux 9 at this time.

x86_64:

https://repo.codeit.guru/packages/testing/8/x86_64/ssh3-0.1.7-1.codeit.el8.x86_64.rpm

https://repo.codeit.guru/packages/testing/8/x86_64/ssh3-server-0.1.7-1.codeit.el8.x86_64.rpm

aarch64:

https://repo.codeit.guru/packages/testing/8/aarch64/ssh3-0.1.7-1.codeit.el8.aarch64.rpm

https://repo.codeit.guru/packages/testing/8/aarch64/ssh3-server-0.1.7-1.codeit.el8.aarch64.rpm

nghttp2 1.60.0 released

nghttp2 1.60.0 rpms released and added to all supported platforms

makerelease.sh: Speed up git submodule by @tatsuhiro-t in #2043 Speed up git clone by @tatsuhiro-t in #2044 build(deps): bump actions/cache from 3 to 4 by @dependabot in #2046 Fixing the build and install trees by @anthonyalayo in #2051 build(deps): bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #2052 nghttpx: Set ocsp response to SSL in case of boringssl by @tatsuhiro-t in #2055 Run with python3 by @tatsuhiro-t in #2054 src: Certificate Compression with boringssl by @tatsuhiro-t in #2056 Fix missing newline by @tatsuhiro-t in #2057 Switch to aws lc by @tatsuhiro-t in #2058 Libbrotli fixup by @tatsuhiro-t in #2059 Deprecate RFC 7540 priorities (aka stream dependencies) by @tatsuhiro-t in #2060 Let dependabot manage go modules by @tatsuhiro-t in #2061 build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 by @dependabot in #2062 integration-tests: Omit unused parameters by @tatsuhiro-t in #2065 Munit by @tatsuhiro-t in #2064 Introduce nghttp2_ssize API by @tatsuhiro-t in #2066 Move deprecated warning upfront by @tatsuhiro-t in #2067 Describe RFC 7540 priorities deprecation plan by @tatsuhiro-t in #2068 Apps migrate nghttp2 ssize by @tatsuhiro-t in #2069 src: Remove unused functions by @tatsuhiro-t in #2070 Reconsider ssize t usage in src by @tatsuhiro-t in #2071 Use GitHub private vulnerability reporting by @tatsuhiro-t in #2072 Move security policy to GitHub standard location by @tatsuhiro-t in #2073 Bump mruby to 3.3.0 by @tatsuhiro-t in #2074 Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663 by @tatsuhiro-t in #2075 h2load: Add –sni option by @tatsuhiro-t in #2076 Bump ngtcp2 dependencies by @tatsuhiro-t in #2077 mruby: Adopt deprecation of mrbc_ prefix by @tatsuhiro-t in #2078 neverbleed: Define _GNU_SOURCE for pthread_setaffinity_np by @tatsuhiro-t in #2079 bpf: Pre-expand aes key by @tatsuhiro-t in #2080 mruby: Exclude mrdb gem which causes nghttpx to crash by @tatsuhiro-t in #2081 nghttpx: Reuse EVP_CIPHER_CTX for QUIC connection ID encryption by @tatsuhiro-t in #2082 Run apt-get update before install by @tatsuhiro-t in #2083 src: Deal with the case that send_quantum < max_udp_payload_size by @tatsuhiro-t in #2084 nghttpx: Remove SHRPX_QUIC_MAX_UDP_PAYLOAD_SIZE by @tatsuhiro-t in #2085 Fix build when AI_NUMERICSERV is undefined by @barracuda156 in #2086

NGINX 1.25.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.4 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • fixes for vulnerabilities in HTTP/3 (CVE-2024-24989, CVE-2024-24990)

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-mainline --save
yum install nginx

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now. To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline
dnf install nginx

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).

nghttp3 1.2.0, ngtcp2 1.3.0 released

nghttp3 1.2.0, ngtcp2 1.3.0 rpms released and added to all supported platforms

nghttp3 1.2.0:

Clarify the behavior when a stream is not found by @tatsuhiro-t in #181 Fix typo by @tatsuhiro-t in #183 cmake: restore ENABLE_STATIC_CRT and ENABLE_ASAN options by @vszakats in #184 Migrate to munit form cunit by @tatsuhiro-t in #187 Pull sfparse via git submodule by @tatsuhiro-t in #188 Update .gitignore by @tatsuhiro-t in #190 Update git submodule by @tatsuhiro-t in #189 Add nghttp3_conn_update_ack_offset by @tatsuhiro-t in #191 Add include path to munit directory by @tatsuhiro-t in #192 Bump munit by @tatsuhiro-t in #193 Shrink nghttp3_stream size by @tatsuhiro-t in #194 Fix typo by @tatsuhiro-t in #195 Bump munit by @tatsuhiro-t in #196 Bump submodules by @tatsuhiro-t in #198

ngtcp2 1.3.0:

Do not run docker-build on tag by @tatsuhiro-t in #1085 Speed up git clone by @tatsuhiro-t in #1086 Use cmake -B consistently by @tatsuhiro-t in #1087 Bump actions/cache from 3 to 4 by @dependabot in #1088 Optimize STOP_SENDING by @tatsuhiro-t in #1089 Fix retransmit frames on stream by @tatsuhiro-t in #1090 Set NGTCP2_STRM_FLAG_RESET_STREAM when RESET_STREAM is sent by @tatsuhiro-t in #1091 Add helper functions to encode/decode zero length transport parameter by @tatsuhiro-t in #1092 Verify decoding truncated frames by @tatsuhiro-t in #1093 Use typed frame type rather than ngtcp2_frame by @tatsuhiro-t in #1094 Verify decoding truncated packet headers by @tatsuhiro-t in #1095 Open a remote stream if RESET_STREAM is received by @tatsuhiro-t in #1096 nghttp3 now requires git submodule by @tatsuhiro-t in #1098 Migrate to munit from cunit by @tatsuhiro-t in #1099 Rewrite ngtcp2_cbrt by @tatsuhiro-t in #1100 Add missing munit header file to HFILES by @tatsuhiro-t in #1101 Bump munit by @tatsuhiro-t in #1102 Fix typo by @tatsuhiro-t in #1103 Bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #1104 Remove pthread from BORINGSSL_LIBS by @tatsuhiro-t in #1105 boringssl: Add certificate compression by @tatsuhiro-t in #1106 Rewrite hexdump by @tatsuhiro-t in #1107 hexdump: Add an extra whitespace after address by @tatsuhiro-t in #1108 hexdump: Fix the last address is not shown by @tatsuhiro-t in #1110 examples: Add include in GnuTLS example by @atlesn in #1111 Use assert_stdsv_equal and print title by @tatsuhiro-t in #1112 examples: Minor fixup by @tatsuhiro-t in #1113 Bump aws-lc to v1.21.0 by @tatsuhiro-t in #1115 Add security policy by @tatsuhiro-t in #1116 Bump boringssl by @tatsuhiro-t in #1117 Bump openssl by @tatsuhiro-t in #1119 examples: Fix operator precedence error by @tatsuhiro-t in #1120 Bump munit by @tatsuhiro-t in #1121