H2O version 2.2.6 and 2.3.0-beta2 have been released.
This release addresses a series of DoS attack vectors that have been recently found on a broad range of HTTP/2 stacks.
Specifically, H2O had been deemed vulnerable to the following, and fixed:
* CVE-2019-9512 (Ping Flood)
* CVE-2019-9514 (Reset Flood)
* CVE-2019-9515 (Settings Flood)
Users of previous versions of H2O are advised to update to the recent versions.
For more information, please refer to issue 2090: HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515.