Cowboy 2.12
++ 2024 + 05 Apr +
+Cowboy 2.12.0
has been released!
Cowboy 2.12 contains a fix for a security vulnerability in the HTTP/2 protocol implementation that has recently been made public: HTTP/2 CONTINUATION Flood.
+Cowboy adds a new HTTP/2 option max_fragmented_header_block_size
to control how much data is accepted in CONTINUATION frames before an error is triggered.
Cowboy 2.12 was produced and released a few weeks ago, as a result of advance knowledge of this vulnerability. If you already upgraded, you are safe! If not, please upgrade as soon as possible.
+Both Cowboy and Cowlib must be upgraded. Cowlib 2.13 has been produced for this fix. This is a minor release and not a patch release only because of the newly added option.
+Cowboy 2.12 requires Erlang/OTP 24.0 or greater. It is tested and supported on Linux, macOS and Windows.
+A complete list of changes can be found in the migration guide: Migrating from Cowboy 2.11 to 2.12.
+You can donate to this project via GitHub Sponsors.
+As usual, feedback is appreciated, and issues or questions should be sent via Github tickets or discussions. Thanks!
+ + +