[Security] Bump h2 from 0.3.16 to 0.3.20
Bumps h2 from 0.3.16 to 0.3.20. This update includes a security fix.
Vulnerabilities fixed
h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2
RST_STREAM
frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.
This issue affects users only when dealing with http2 connections.
Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17
Release notes
Sourced from h2's releases.
v0.3.20
Bug Fixes
- Fix panic if a server received a request with a
:status
pseudo header in the 1xx range. (#695)- Fix panic if a reset stream had pending push promises that were more than allowed. (#685)
- Fix potential flow control overflow by subtraction, instead returning a connection error. (#692)
New Contributors
@f0rki
made their first contribution in hyperium/h2#690v0.3.19
What's Changed
- Fix counting reset streams when triggered by a GOAWAY.
- Send
too_many_resets
in opaque debug data of GOAWAY when too many resets received.New Contributors
@Herbstein
made their first contribution in hyperium/h2#673@foresterre
made their first contribution in hyperium/h2#680v0.3.18
What's Changed
- fix: pending-accept remotely-reset streams pattern was checking is_local by
@seanmonstar
in hyperium/h2#676v0.3.17
What's Changed
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Changelog
Sourced from h2's changelog.
0.3.20 (June 26, 2023)
- Fix panic if a server received a request with a
:status
pseudo header in the 1xx range.- Fix panic if a reset stream had pending push promises that were more than allowed.
- Fix potential flow control overflow by subtraction, instead returning a connection error.
0.3.19 (May 12, 2023)
- Fix counting reset streams when triggered by a GOAWAY.
- Send
too_many_resets
in opaque debug data of GOAWAY when too many resets received.0.3.18 (April 17, 2023)
- Fix panic because of opposite check in
is_remote_local()
.0.3.17 (April 13, 2023)
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Commits
-
6a75f23
v0.3.20 -
0189722
Fix for a fuzzer-discovered integer underflow of the flow control window size... -
478f7b9
Fix for invalid header panic corrected (#695) -
864430c
Enabled clippy in CI and ranclippy --fix
-
972fb6f
chore: add funding file -
97bc3e3
hammer test requires a new tokio feature -
66c36c4
fix panic on receiving invalid headers frame by making thetake_request
fun... -
04e6398
fix: panicked when a reset stream would decrement twice -
f126229
v0.3.19 -
3d558a6
Ignore Error::GoAway in State::is_remote_reset - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts