[Security] Bump h2 from 0.3.16 to 0.3.25
Bumps h2 from 0.3.16 to 0.3.25. This update includes a security fix.
Vulnerabilities fixed
h2 vulnerable to denial of service Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2
RST_STREAM
frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).As of time of publication of this advisory, there is no evidence of a fix having been incorporated into h2.
This issue affects users only when dealing with http2 connections.
Patched versions: 0.3.17 Affected versions: <= 0.3.16; < 0.3.17
Release notes
Sourced from h2's releases.
v0.3.25
What's Changed
- perf: optimize header list size calculations by
@Noah-Kennedy
in hyperium/h2#750Full Changelog: https://github.com/hyperium/h2/compare/v0.3.24...v0.3.25
v0.3.24
Fixed
- Limit error resets for misbehaving connections.
v0.3.23
What's Changed
- cherry-pick fix: streams awaiting capacity lockout in hyperium/h2#734
v0.3.22
What's Changed
- Add
header_table_size(usize)
option to client and server builders.- Improve throughput when vectored IO is not available.
- Update indexmap to 2.
New Contributors
@tottoto
made their first contribution in hyperium/h2#714@xiaoyawei
made their first contribution in hyperium/h2#712@Protryon
made their first contribution in hyperium/h2#719@4JX
made their first contribution in hyperium/h2#638@vuittont60
made their first contribution in hyperium/h2#724v0.3.21
What's Changed
- Fix opening of new streams over peer's max concurrent limit.
- Fix
RecvStream
to return data even if it has received aCANCEL
stream error.- Update MSRV to 1.63.
New Contributors
@DDtKey
made their first contribution in hyperium/h2#703@jwilm
made their first contribution in hyperium/h2#707v0.3.20
Bug Fixes
- Fix panic if a server received a request with a
:status
pseudo header in the 1xx range. (#695)- Fix panic if a reset stream had pending push promises that were more than allowed. (#685)
- Fix potential flow control overflow by subtraction, instead returning a connection error. (#692)
New Contributors
@f0rki
made their first contribution in hyperium/h2#690v0.3.19
... (truncated)
Changelog
Sourced from h2's changelog.
0.3.25 (March 15, 2024)
- Improve performance decoding many headers.
0.3.24 (January 17, 2024)
- Limit error resets for misbehaving connections.
0.3.23 (January 10, 2024)
- Backport fix from 0.4.1 for stream capacity assignment.
0.3.22 (November 15, 2023)
- Add
header_table_size(usize)
option to client and server builders.- Improve throughput when vectored IO is not available.
- Update indexmap to 2.
0.3.21 (August 21, 2023)
- Fix opening of new streams over peer's max concurrent limit.
- Fix
RecvStream
to return data even if it has received aCANCEL
stream error.- Update MSRV to 1.63.
0.3.20 (June 26, 2023)
- Fix panic if a server received a request with a
:status
pseudo header in the 1xx range.- Fix panic if a reset stream had pending push promises that were more than allowed.
- Fix potential flow control overflow by subtraction, instead returning a connection error.
0.3.19 (May 12, 2023)
- Fix counting reset streams when triggered by a GOAWAY.
- Send
too_many_resets
in opaque debug data of GOAWAY when too many resets received.0.3.18 (April 17, 2023)
- Fix panic because of opposite check in
is_remote_local()
.0.3.17 (April 13, 2023)
- Add
Error::is_library()
method to check if the originated insideh2
.- Add
max_pending_accept_reset_streams(usize)
option to client and server builders.- Fix theoretical memory growth when receiving too many HEADERS and then RST_STREAM frames faster than an application can accept them off the queue. (CVE-2023-26964)
Commits
-
3a79832
v0.3.25 -
94e80b1
perf: optimize header list size calculations (#750) -
7243ab5
Prepare v0.3.24 -
d919cd6
streams: limit error resets for misbehaving connections -
a7eb14a
v0.3.23 -
b668c7f
fix: streams awaiting capacity lockout (#730) (#734) -
0f412d8
v0.3.22 -
c7ca62f
docs: fix typos (#724) -
ef743ec
Add a setter for header_table_size (#638) -
56651e6
fix lint about unused import - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts