h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.

This issue affects users only when dealing with http2 connections.

Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17

Sourced from h2's releases.

v0.3.21

What's Changed

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

New Contributors

• @​DDtKey made their first contribution in hyperium/h2#703
• @​jwilm made their first contribution in hyperium/h2#707

v0.3.20

Bug Fixes

• Fix panic if a server received a request with a :status pseudo header in the 1xx range. (#695)
• Fix panic if a reset stream had pending push promises that were more than allowed. (#685)
• Fix potential flow control overflow by subtraction, instead returning a connection error. (#692)

New Contributors

• @​f0rki made their first contribution in hyperium/h2#690

v0.3.19

What's Changed

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

New Contributors

• @​Herbstein made their first contribution in hyperium/h2#673
• @​foresterre made their first contribution in hyperium/h2#680

v0.3.18

What's Changed

• fix: pending-accept remotely-reset streams pattern was checking is_local by @​seanmonstar in hyperium/h2#676

v0.3.17

What's Changed

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server builders.
• Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)

Sourced from h2's changelog.

0.3.21 (August 21, 2023)

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

0.3.20 (June 26, 2023)

• Fix panic if a server received a request with a :status pseudo header in the 1xx range.
• Fix panic if a reset stream had pending push promises that were more than allowed.
• Fix potential flow control overflow by subtraction, instead returning a connection error.

0.3.19 (May 12, 2023)

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

0.3.18 (April 17, 2023)

• Fix panic because of opposite check in is_remote_local().

0.3.17 (April 13, 2023)

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server builders.
• Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)

• da38b1c v0.3.21
• ee04292 Fix opening new streams over max concurrent (#707)
• 9bd62a2 Test that client reacts correctly on rogue HEADERS (#667)
• da9f34b chore: fix up some clippy nags (#709)
• cdcc641 msrv: bump to 1.63 (#708)
• 633116e fix: do not ignore result of ensure_recv_open (#687)
• 46fb80b test: early server response with data (#703)
• 6a75f23 v0.3.20
• 0189722 Fix for a fuzzer-discovered integer underflow of the flow control window size...
• 478f7b9 Fix for invalid header panic corrected (#695)
• Additional commits viewable in compare view

• $dependabot rebase will rebase this MR
• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts