[Security] Bump hyper from 0.14.25 to 0.14.26
Bumps hyper from 0.14.25 to 0.14.26. This update includes a security fix.
Vulnerabilities fixed
hyper and h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2
RST_STREAM
frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.
Patched versions: none Affected versions: <= 0.14.25
Release notes
Sourced from hyper's releases.
v0.14.26
Features
New Contributors
@Noah-Kennedy
made their first contribution in hyperium/hyper#3201
Commits
-
00d52e4
v0.14.26 -
a6f7571
feat(http2): addmax_pending_accept_reset_streams
configuration option (#3201) - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts