Skip to content

Update Rust crate h2 to v0.3.18 [SECURITY] #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update Rust crate h2 to v0.3.18 [SECURITY] #67

wants to merge 1 commit into from

Conversation

@stackable-bot
Copy link
Contributor

@stackable-bot stackable-bot commented Apr 19, 2023

This PR contains the following updates:

Package Type Update Change
h2 dependencies patch =0.3.7 -> =0.3.18

GitHub Vulnerability Alerts

CVE-2023-26964

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

This issue affects users only when dealing with http2 connections.

Release Notes

hyperium/h2

v0.3.18

Compare Source

  • Fix panic because of opposite check in is_remote_local().

v0.3.17

Compare Source

  • Add Error::is_library() method to check if the originated inside h2.
  • Add max_pending_accept_reset_streams(usize) option to client and server
    builders.
  • Fix theoretical memory growth when receiving too many HEADERS and then
    RST_STREAM frames faster than an application can accept them off the queue.
    (CVE-2023-26964)

v0.3.16

Compare Source

  • Set Protocol extension on requests when received Extended CONNECT requests.
  • Remove B: Unpin + 'static bound requiremented of bufs
  • Fix releasing of frames when stream is finished, reducing memory usage.
  • Fix panic when trying to send data and connection window is available, but stream window is not.
  • Fix spurious wakeups when stream capacity is not available.

v0.3.15

Compare Source

  • Remove B: Buf bound on SendStream's parameter
  • add accessor for StreamId u32

v0.3.14

Compare Source

  • Add Error::is_reset function.
  • Bump MSRV to Rust 1.56.
  • Return RST_STREAM(NO_ERROR) when the server early responds.

v0.3.13

Compare Source

  • Update private internal tokio-util dependency.

v0.3.12

Compare Source

  • Avoid time operations that can panic (#​599)
  • Bump MSRV to Rust 1.49 (#​606)
  • Fix header decoding error when a header name is contained at a continuation
    header boundary (#​589)
  • Remove I/O type names from handshake tracing spans (#​608)

v0.3.11

Compare Source

  • Make SendStream::poll_capacity never return Ok(Some(0)) (#​596)
  • Fix panic when receiving already reset push promise (#​597)

v0.3.10

Compare Source

  • Add Error::is_go_away() and Error::is_remote() methods.
  • Fix panic if receiving malformed PUSH_PROMISE with stream ID of 0.

v0.3.9

Compare Source

  • Fix hang related to new max_send_buffer_size.

v0.3.8

Compare Source

  • Add "extended CONNECT support". Adds h2::ext::Protocol, which is used for request and response extensions to connect new protocols over an HTTP/2 stream.
  • Add max_send_buffer_size options to client and server builders, and a default of ~400MB. This acts like a high-water mark for the poll_capacity() method.
  • Fix panic if receiving malformed HEADERS with stream ID of 0.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@stackable-bot stackable-bot added the dependencies Pull requests that update a dependency file label Apr 19, 2023
@stackable-bot stackable-bot requested a review from a team April 19, 2023 12:27
lfrancke
lfrancke previously approved these changes Apr 19, 2023
View reviewed changes
@lfrancke lfrancke dismissed their stale review April 19, 2023 12:38

I missed the comment that says it needs to be in sync with some patched build

@lfrancke
Copy link
Member

lfrancke commented Apr 19, 2023

@nightkr can you take a look at this please?

@nightkr
Copy link
Contributor

nightkr commented Apr 19, 2023

Sure

@nightkr nightkr self-assigned this Apr 19, 2023
@nightkr nightkr mentioned this pull request Apr 19, 2023
Closed
bors bot pushed a commit that referenced this pull request Apr 19, 2023
@nightkr
Update h2 to 0.3.18 (#69)
dcf542c 
# Description

Depends on stackabletech/h2#2. Replaces #67. Should also be replicated in secret-op once merged.
@nightkr
Copy link
Contributor

nightkr commented Apr 19, 2023

Covered by #69

@nightkr nightkr closed this Apr 19, 2023
@stackable-bot stackable-bot deleted the renovate/crate-h2-vulnerability branch December 13, 2023 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lfrancke lfrancke lfrancke left review comments

Assignees

@nightkr nightkr

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@stackable-bot @lfrancke @nightkr