[Security] Bump h2 from 0.3.16 to 0.3.20

Bumps h2 from 0.3.16 to 0.3.20. This update includes a security fix.

Vulnerabilities fixed

h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.

This issue affects users only when dealing with http2 connections.

Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17

Release notes

Sourced from h2's releases.

v0.3.20

Bug Fixes

• Fix panic if a server received a request with a :status pseudo header in the 1xx range. (#695)
• Fix panic if a reset stream had pending push promises that were more than allowed. (#685)
• Fix potential flow control overflow by subtraction, instead returning a connection error. (#692)

New Contributors

• @​f0rki made their first contribution in hyperium/h2#690

v0.3.19

What's Changed

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

New Contributors

• @​Herbstein made their first contribution in hyperium/h2#673
• @​foresterre made their first contribution in hyperium/h2#680

v0.3.18

What's Changed

• fix: pending-accept remotely-reset streams pattern was checking is_local by @​seanmonstar in hyperium/h2#676

v0.3.17

What's Changed

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server builders.
• Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)

Changelog

Sourced from h2's changelog.

0.3.20 (June 26, 2023)

• Fix panic if a server received a request with a :status pseudo header in the 1xx range.
• Fix panic if a reset stream had pending push promises that were more than allowed.
• Fix potential flow control overflow by subtraction, instead returning a connection error.

0.3.19 (May 12, 2023)

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

0.3.18 (April 17, 2023)

• Fix panic because of opposite check in is_remote_local().

0.3.17 (April 13, 2023)

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server builders.
• Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)

Commits

• 6a75f23 v0.3.20
• 0189722 Fix for a fuzzer-discovered integer underflow of the flow control window size...
• 478f7b9 Fix for invalid header panic corrected (#695)
• 864430c Enabled clippy in CI and ran clippy --fix
• 972fb6f chore: add funding file
• 97bc3e3 hammer test requires a new tokio feature
• 66c36c4 fix panic on receiving invalid headers frame by making the take_request fun...
• 04e6398 fix: panicked when a reset stream would decrement twice
• f126229 v0.3.19
• 3d558a6 Ignore Error::GoAway in State::is_remote_reset
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot rebase will rebase this MR
• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts