[Security] Bump h2 from 0.3.16 to 0.3.22

Bumps h2 from 0.3.16 to 0.3.22. This update includes a security fix.

Vulnerabilities fixed

h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.

This issue affects users only when dealing with http2 connections.

Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17

Release notes

Sourced from h2's releases.

v0.3.22

What's Changed

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

New Contributors

• @​tottoto made their first contribution in hyperium/h2#714
• @​xiaoyawei made their first contribution in hyperium/h2#712
• @​Protryon made their first contribution in hyperium/h2#719
• @​4JX made their first contribution in hyperium/h2#638
• @​vuittont60 made their first contribution in hyperium/h2#724

v0.3.21

What's Changed

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

New Contributors

• @​DDtKey made their first contribution in hyperium/h2#703
• @​jwilm made their first contribution in hyperium/h2#707

v0.3.20

Bug Fixes

• Fix panic if a server received a request with a :status pseudo header in the 1xx range. (#695)
• Fix panic if a reset stream had pending push promises that were more than allowed. (#685)
• Fix potential flow control overflow by subtraction, instead returning a connection error. (#692)

New Contributors

• @​f0rki made their first contribution in hyperium/h2#690

v0.3.19

What's Changed

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

New Contributors

• @​Herbstein made their first contribution in hyperium/h2#673
• @​foresterre made their first contribution in hyperium/h2#680

v0.3.18

What's Changed

• fix: pending-accept remotely-reset streams pattern was checking is_local by @​seanmonstar in hyperium/h2#676

v0.3.17

What's Changed

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server

... (truncated)

Changelog

Sourced from h2's changelog.

0.3.22 (November 15, 2023)

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

0.3.21 (August 21, 2023)

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

0.3.20 (June 26, 2023)

• Fix panic if a server received a request with a :status pseudo header in the 1xx range.
• Fix panic if a reset stream had pending push promises that were more than allowed.
• Fix potential flow control overflow by subtraction, instead returning a connection error.

0.3.19 (May 12, 2023)

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

0.3.18 (April 17, 2023)

• Fix panic because of opposite check in is_remote_local().

0.3.17 (April 13, 2023)

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server builders.
• Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)

Commits

• 0f412d8 v0.3.22
• c7ca62f docs: fix typos (#724)
• ef743ec Add a setter for header_table_size (#638)
• 56651e6 fix lint about unused import
• 4aa7b16 Fix documentation for max_send_buffer_size (#718)
• d03c54a chore(dependencies): update tracing minimal version to 0.1.35
• 3cdef96 fix(test): mark h2-support as private crate
• 05cf352 chore(ci): add minimal versions checking on stable rust
• cbe7744 chore(ci): update to actions/checkout@v4 (#716)
• 1f247de Update indexmap to version 2 (#698)
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot rebase will rebase this MR
• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts