[Security] Bump h2 from 0.3.16 to 0.3.19
Bumps h2 from 0.3.16 to 0.3.19. This update includes a security fix.
Vulnerabilities fixed
h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2
RST_STREAM
frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.
This issue affects users only when dealing with http2 connections.
Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17
Release notes
Sourced from h2's releases.
v0.3.19
What's Changed
- Fix counting reset streams when triggered by a GOAWAY.
- Send
too_many_resets
in opaque debug data of GOAWAY when too many resets received.New Contributors
@Herbstein
made their first contribution in hyperium/h2#673@foresterre
made their first contribution in hyperium/h2#680v0.3.18
What's Changed
- fix: pending-accept remotely-reset streams pattern was checking is_local by
@seanmonstar
in hyperium/h2#676v0.3.17
What's Changed
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Changelog
Sourced from h2's changelog.
0.3.19 (May 12, 2023)
- Fix counting reset streams when triggered by a GOAWAY.
- Send
too_many_resets
in opaque debug data of GOAWAY when too many resets received.0.3.18 (April 17, 2023)
- Fix panic because of opposite check in
is_remote_local()
.0.3.17 (April 13, 2023)
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Commits
-
f126229
v0.3.19 -
3d558a6
Ignore Error::GoAway in State::is_remote_reset -
7a77f93
Rename is_local_reset to is_local_error -
70eade5
Add too_many_resets debug_data to the GOAWAY we send (#678) -
b0e5470
Fix markdown code element in error::is_library -
072f7ee
Serialize debug_data when present in GOAWAY frames -
1b9f070
v0.3.18 -
1c6fa28
fix: pending-accept remotely-reset streams pattern was checking is_local -
af4bcac
v0.3.17 -
d3f37e9
feat: addmax_pending_accept_reset_streams(n)
options - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts