An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.
This fix is corrected in hyperium/h2#737, which limits the total number of
internal error resets emitted by default before the connection is closed.
An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.
Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.
hyperium/h2 (h2)
### [`v0.3.26`](https://togithub.com/hyperium/h2/releases/tag/v0.3.26)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.25...v0.3.26)
##### What's Changed
- Limit number of CONTINUATION frames for misbehaving connections.
See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for more info.
### [`v0.3.25`](https://togithub.com/hyperium/h2/releases/tag/v0.3.25)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.24...v0.3.25)
##### What's Changed
- perf: optimize header list size calculations by [@Noah-Kennedy](https://togithub.com/Noah-Kennedy) in [https://github.com/hyperium/h2/pull/750](https://togithub.com/hyperium/h2/pull/750)
**Full Changelog**: https://github.com/hyperium/h2/compare/v0.3.24...v0.3.25
### [`v0.3.24`](https://togithub.com/hyperium/h2/releases/tag/v0.3.24)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.23...v0.3.24)
##### Fixed
- Limit error resets for misbehaving connections.
### [`v0.3.23`](https://togithub.com/hyperium/h2/releases/tag/v0.3.23)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.22...v0.3.23)
##### What's Changed
- cherry-pick fix: streams awaiting capacity lockout in [https://github.com/hyperium/h2/pull/734](https://togithub.com/hyperium/h2/pull/734)
### [`v0.3.22`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0322-November-15-2023)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.21...v0.3.22)
- Add `header_table_size(usize)` option to client and server builders.
- Improve throughput when vectored IO is not available.
- Update indexmap to 2.
### [`v0.3.21`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0321-August-21-2023)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.20...v0.3.21)
- Fix opening of new streams over peer's max concurrent limit.
- Fix `RecvStream` to return data even if it has received a `CANCEL` stream error.
- Update MSRV to 1.63.
### [`v0.3.20`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0320-June-26-2023)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.19...v0.3.20)
- Fix panic if a server received a request with a `:status` pseudo header in the 1xx range.
- Fix panic if a reset stream had pending push promises that were more than allowed.
- Fix potential flow control overflow by subtraction, instead returning a connection error.
### [`v0.3.19`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0319-May-12-2023)
[Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.18...v0.3.19)
- Fix counting reset streams when triggered by a GOAWAY.
- Send `too_many_resets` in opaque debug data of GOAWAY when too many resets received.
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
=0.3.18->=0.3.26GitHub Vulnerability Alerts
GHSA-8r5v-vm4m-4g25
An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the generation of reset frames on the victim endpoint. By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion, resulting in Out Of Memory (OOM) and high CPU usage.
This fix is corrected in hyperium/h2#737, which limits the total number of internal error resets emitted by default before the connection is closed.
GHSA-q6cp-qfwq-4gcv
An attacker can send a flood of CONTINUATION frames, causing
h2to process them indefinitely. This results in an increase in CPU usage.Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.
More details at https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
Patches available for 0.4.x and 0.3.x versions.
Release Notes
hyperium/h2 (h2)
### [`v0.3.26`](https://togithub.com/hyperium/h2/releases/tag/v0.3.26) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.25...v0.3.26) ##### What's Changed - Limit number of CONTINUATION frames for misbehaving connections. See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for more info. ### [`v0.3.25`](https://togithub.com/hyperium/h2/releases/tag/v0.3.25) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.24...v0.3.25) ##### What's Changed - perf: optimize header list size calculations by [@Noah-Kennedy](https://togithub.com/Noah-Kennedy) in [https://github.com/hyperium/h2/pull/750](https://togithub.com/hyperium/h2/pull/750) **Full Changelog**: https://github.com/hyperium/h2/compare/v0.3.24...v0.3.25 ### [`v0.3.24`](https://togithub.com/hyperium/h2/releases/tag/v0.3.24) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.23...v0.3.24) ##### Fixed - Limit error resets for misbehaving connections. ### [`v0.3.23`](https://togithub.com/hyperium/h2/releases/tag/v0.3.23) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.22...v0.3.23) ##### What's Changed - cherry-pick fix: streams awaiting capacity lockout in [https://github.com/hyperium/h2/pull/734](https://togithub.com/hyperium/h2/pull/734) ### [`v0.3.22`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0322-November-15-2023) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.21...v0.3.22) - Add `header_table_size(usize)` option to client and server builders. - Improve throughput when vectored IO is not available. - Update indexmap to 2. ### [`v0.3.21`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0321-August-21-2023) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.20...v0.3.21) - Fix opening of new streams over peer's max concurrent limit. - Fix `RecvStream` to return data even if it has received a `CANCEL` stream error. - Update MSRV to 1.63. ### [`v0.3.20`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0320-June-26-2023) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.19...v0.3.20) - Fix panic if a server received a request with a `:status` pseudo header in the 1xx range. - Fix panic if a reset stream had pending push promises that were more than allowed. - Fix potential flow control overflow by subtraction, instead returning a connection error. ### [`v0.3.19`](https://togithub.com/hyperium/h2/blob/HEAD/CHANGELOG.md#0319-May-12-2023) [Compare Source](https://togithub.com/hyperium/h2/compare/v0.3.18...v0.3.19) - Fix counting reset streams when triggered by a GOAWAY. - Send `too_many_resets` in opaque debug data of GOAWAY when too many resets received.Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.