Bumps hyper from 0.14.25 to 0.14.27. This update includes a security fix.
hyper and h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2
RST_STREAMframes by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.
Patched versions: none Affected versions: <= 0.14.25
Sourced from hyper's releases.
v0.14.27
Bug Fixes
- http1:
Features
- client: include connection info in
Client::send_requesterrors (#2749)v0.14.26
Features
New Contributors
@Noah-Kennedymade their first contribution in hyperium/hyper#3201
Sourced from hyper's changelog.
v0.14.27 (2023-06-26)
Bug Fixes
- http1:
Features
- client: include connection info in
Client::send_requesterrors (#2749)v0.14.26 (2023-04-13)
Features
d77c259 v0.14.27a7b2c82 chore(lib): disable log feature of tower dependencyb107655 fix(http1): send error on Incoming body when connection errors (#3256)32422c4 fix(http1): properly end chunked bodies when it was known to be empty (#3254)297dc4c feat(client): include connection info in Client::send_request errors (#2749)00d52e4 v0.14.26a6f7571 feat(http2): add max_pending_accept_reset_streams configuration option (#3201)$dependabot rebase will rebase this MR$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts