Thursday, May 26, 2016

H2O version 1.7.3 / 2.0.0-beta5 released with a vulnerability fix

We have just released version 1.7.3 and 2.0.0-beta5 of the H2O HTTP/2 server.

The releases include a fix for a security issue (CVE-2016-4817). Existing users are encouraged to update their installations.

The details of the issue can be found here.

We would like to thank Tim Newsham for reporting the issue and Frederik Deweerdt for providing a fix.

Monday, May 9, 2016

H2O HTTP/2 server 1.7.2 / 2.0.0-beta3 released

Today I have released H2O HTTP/2 server version 1.7.2 and 2.0.0-beta3.

The releases include an updated version of LibreSSL that fixes CVE-2016-2107; users of H2O built with the bundled version of LibreSSL are advised to update their installations.

In addition to the fix, 2.0.0-beta3 includes many new features and bug fixes.

Especially, support for reverse-proxying over HTTPS (#875) and the new configuration directives for tweaking environment variables passed to FastCGI (#868) might be helpful to the users who have wanted them.

We plan to release the final version of 2.0 soon, and then proceed to optimizing the server even further. Stay tuned!