blob: 4b267945a7cafab5aaf6c252eab64600fa595bac (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
+++
date = "2024-04-05T07:00:00+01:00"
title = "Cowboy 2.12"
+++
Cowboy `2.12.0` has been released!
Cowboy 2.12 contains a fix for a security vulnerability
in the HTTP/2 protocol implementation that has recently
been made public:
https://nowotarski.info/http2-continuation-flood/[HTTP/2 CONTINUATION Flood].
Cowboy adds a new HTTP/2 option `max_fragmented_header_block_size`
to control how much data is accepted in CONTINUATION
frames before an error is triggered.
Cowboy 2.12 was produced and released a few weeks ago,
as a result of advance knowledge of this vulnerability.
If you already upgraded, you are safe! If not, please
upgrade as soon as possible.
Both Cowboy and Cowlib must be upgraded. Cowlib 2.13
has been produced for this fix. This is a minor release
and not a patch release only because of the newly added
option.
Cowboy 2.12 requires Erlang/OTP 24.0 or greater.
It is tested and supported on Linux, macOS and Windows.
A complete
list of changes can be found in the migration guide:
https://ninenines.eu/docs/en/cowboy/2.12/guide/migrating_from_2.11/[Migrating from Cowboy 2.11 to 2.12].
You can donate to this project via
https://github.com/sponsors/essen[GitHub Sponsors].
As usual, feedback is appreciated, and issues or
questions should be sent via Github tickets or
discussions. Thanks!
|