nghttp2 1.6.0 fixes a use after free bug:
The upstream changelog isn't very specific about security implications, but use after free in network facing code is usually pretty serious.
1.6.0 is already in the tree
is ready to go to stable?
probably. no one has complained thus far.
Arches, please test and mark stable:
Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA PPC64.
all arches done now
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
This issue was resolved and addressed in
GLSA 201612-06 at https://security.gentoo.org/glsa/201612-06
by GLSA coordinator Aaron Bauman (b-man).