nghttp2 1.6.0 fixes a use after free bug: https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/ The upstream changelog isn't very specific about security implications, but use after free in network facing code is usually pretty serious.
1.6.0 is already in the tree
is ready to go to stable?
probably. no one has complained thus far.
Arches, please test and mark stable: =net-libs/nghttp2-1.6.0 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Thank you!
amd64 stable
x86 stable
Stable for HPPA PPC64.
ppc stable
sparc stable
alpha stable
ia64 stable
all arches done now
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201612-06 at https://security.gentoo.org/glsa/201612-06 by GLSA coordinator Aaron Bauman (b-man).