[Security] Bump hyper from 0.14.25 to 0.14.26 (!27) · Merge requests · Janne Heß / send433

Ghost User requested to merge dependabot-cargo-hyper-0.14.26 into master Apr 19, 2023

Bumps hyper from 0.14.25 to 0.14.26. This update includes a security fix.

Vulnerabilities fixed

hyper and h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.

Patched versions: none Affected versions: <= 0.14.25

Release notes

Sourced from hyper's releases.

v0.14.26

Features

http2: add max_pending_accept_reset_streams configuration option (#3201) (a6f7571a)

New Contributors

@Noah-Kennedy made their first contribution in hyperium/hyper#3201

Changelog

Sourced from hyper's changelog.

v0.14.26 (2023-04-13)

Features

http2: add max_pending_accept_reset_streams configuration option (#3201) (a6f7571a)

Commits

00d52e4 v0.14.26
a6f7571 feat(http2): add max_pending_accept_reset_streams configuration option (#3201)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump hyper from 0.14.25 to 0.14.26

v0.14.26

Features

New Contributors

v0.14.26 (2023-04-13)

Features

Merge request reports