[Security] Bump h2 from 0.3.16 to 0.3.18
Bumps h2 from 0.3.16 to 0.3.18. This update includes a security fix.
Vulnerabilities fixed
h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2
RST_STREAM
frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.
This issue affects users only when dealing with http2 connections.
Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17
Release notes
Sourced from h2's releases.
v0.3.18
What's Changed
- fix: pending-accept remotely-reset streams pattern was checking is_local by
@seanmonstar
in hyperium/h2#676v0.3.17
What's Changed
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Changelog
Sourced from h2's changelog.
0.3.18 (April 17, 2023)
- Fix panic because of opposite check in
is_remote_local()
.0.3.17 (April 13, 2023)
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Commits
-
1b9f070
v0.3.18 -
1c6fa28
fix: pending-accept remotely-reset streams pattern was checking is_local -
af4bcac
v0.3.17 -
d3f37e9
feat: addmax_pending_accept_reset_streams(n)
options -
5bc8e72
fix: limit the amount of pending-accept reset streams -
8088ca6
feat: add Error::is_library method -
481c31d
chore: Use Cargo metadata for the MSRV build job -
d3d50ef
chore: Replace unmaintained/outdated GitHub Actions -
45b9bcc
chore: set rust-version in Cargo.toml (#664) - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts