From c50c4536ddbbce8ee1ab0f403506a61fbd5f35f1 Mon Sep 17 00:00:00 2001
From: Chris Walker <chris@webtide.com>
Date: Wed, 30 Oct 2019 13:16:30 -0400
Subject: [PATCH] Added additional, http/2 specific documentation for #4253

---
 .../asciidoc/administration/http2/introduction.adoc  | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/jetty-documentation/src/main/asciidoc/administration/http2/introduction.adoc b/jetty-documentation/src/main/asciidoc/administration/http2/introduction.adoc
index 6f3d7b17e9c..f560ae1f731 100644
--- a/jetty-documentation/src/main/asciidoc/administration/http2/introduction.adoc
+++ b/jetty-documentation/src/main/asciidoc/administration/http2/introduction.adoc
@@ -26,11 +26,21 @@ The requirements for running HTTP/2 are JDK 8 or greater, and typically also ALP
 A server deployed over TLS (SSL) normally advertises the HTTP/2 protocol via the TLS extension Application Layer Protocol Negotiation link:#alpn[(ALPN)].
 
 ____
-[IMPORTANT]
+[NOTE]
 To use HTTP/2 in Jetty via a TLS connector you need to add the link:#alpn-starting[ALPN boot jar] in the boot classpath.
 This is done automatically when using the Jetty distribution's start.jar link:#startup-modules[module system], but must be configured directly otherwise.
 ____
 
+[[http2-security-update]]
+==== Jetty HTTP/2 Security Update
+
+In mid-2019, there were a link:#security-reports[number of CVEs] were issued warning against vulnerable HTTP/2 implementations. These CVEs (CVE-2019-9511 thru CVE-2019-9518) generally centered around attackers manipulating and flooding HTTP/2 servers and creating a denial of service (DOS). These vulnerabilities were patched with Jetty 9.4.21.
+
+As a result of these CVEs, Jetty introduced a new, configurable denial of service (DOS) protection feature in Jetty 9.4.22.
+
+Jetty’s HTTP/2 implementation now features a new Rate Control parameter, `jetty.http2.rateControl.maxEventsPerSecond`, that defaults to 20 events per second, per connection for all pings, bad frames, settings frames, priority changes etc.
+
+
 [[http2-modules]]
 ==== Jetty HTTP/2 Sub Projects