Description: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Broken commit info: Bugfix commit info: https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148 https://github.com/nghttp2/nghttp2/pull/1961 https://github.com/apache/httpd-site/pull/10 https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1 https://github.com/apache/trafficserver/pull/10564 https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a https://github.com/nodejs/node/pull/50121 https://github.com/line/armeria/pull/5232 https://github.com/facebook/proxygen/pull/466 https://github.com/envoyproxy/envoy/pull/30055 https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628 https://github.com/kubernetes/kubernetes/pull/121120 https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632 https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 https://github.com/h2o/h2o/pull/3291 https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 https://github.com/microsoft/CBL-Mariner/pull/6381 https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 https://github.com/grpc/grpc-go/pull/6703 https://github.com/projectcontour/contour/pull/5826
PR: https://gitee.com/src-anolis-os/nghttp2/pulls/9/files