Skip to content

[Security] Bump hyper from 0.14.25 to 0.14.28

Ghost User requested to merge dependabot-cargo-hyper-0.14.28 into master

Bumps hyper from 0.14.25 to 0.14.28. This update includes a security fix.

Vulnerabilities fixed

hyper and h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.

Patched versions: none Affected versions: <= 0.14.25

Release notes

Sourced from hyper's releases.

v0.14.28

Features

  • body: deprecate to_bytes() and aggregate() (#3466) (7f382ad6)
  • client: add conn::http1::Connection::without_shutdown() method (#3431) (ad504977)
  • server: add Builder::local_addr() (#3278) (d342c2c7)

Bug Fixes

  • client:
    • panic when pool idle timeout set to zero (#3365) (34d38008)
    • divide by zero error when DNS returns no addrs (#3355) (41eaf204)
    • Do not strip path and scheme components from URIs for HTTP/2 Extended CONNEC (45aa6249)
    • early respond from server shouldn't propagate reset error (#3274) (aac6760e, closes #2872)
  • http1:

New Contributors

v0.14.27

Bug Fixes

  • http1:

Features

  • client: include connection info in Client::send_request errors (#2749)

v0.14.26

Features

  • http2: add max_pending_accept_reset_streams configuration option (#3201) (a6f7571a)

New Contributors

Changelog

Sourced from hyper's changelog.

v0.14.28 (2023-12-18)

Bug Fixes

  • client:
    • panic when pool idle timeout set to zero (#3365) (34d38008)
    • divide by zero error when DNS returns no addrs (#3355) (41eaf204)
    • Do not strip path and scheme components from URIs for HTTP/2 Extended CONNEC (45aa6249)
    • early respond from server shouldn't propagate reset error (#3274) (aac6760e, closes #2872)
  • http1:

Features

  • body: deprecate to_bytes() and aggregate() (#3466) (7f382ad6)
  • client: add conn::http1::Connection::without_shutdown() method (#3431) (ad504977)
  • server: add Builder::local_addr() (#3278) (d342c2c7)

v0.14.27 (2023-06-26)

Bug Fixes

  • http1:

Features

  • client: include connection info in Client::send_request errors (#2749)

v0.14.26 (2023-04-13)

Features

  • http2: add max_pending_accept_reset_streams configuration option (#3201) (a6f7571a)
Commits
  • 98a7ab0 v0.14.28
  • 344a878 fix(http1): add internal limit for chunked extensions (#3495)
  • 5eca028 fix(http1): reject chunked headers missing a digit (#3494)
  • 7f382ad feat(body): deprecate to_bytes() and aggregate() (#3466)
  • ad50497 feat(client): add conn::http1::Connection::without_shutdown() method (#3431)
  • 4899703 chore(ci): cache rust dependency
  • e2c223a chore(ffi): revamp gen_header using cargo-expand
  • 45fef3b chore(ci): check C header file with stable rust
  • 5bddd5e chore(ci): use stable rust for building C API
  • 440f23a chore(ci): replace actions-rs with run and use taiki-e/install-action or taik...
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports