Skip to content

Commit

Permalink
fix: upgrade h2 to 0.3.24 to fix RUSTSEC-2024-0003
Browse files Browse the repository at this point in the history 
ID: RUSTSEC-2024-0003
Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003
An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.

This fix is corrected in [hyperium/h2#737](hyperium/h2#737), which limits the total number of
internal error resets emitted by default before the connection is closed.

Signed-off-by: Yadong Ding <[email protected]>
  • Loading branch information
@Desiki-high @imeoer
Desiki-high authored and imeoer committed Jan 18, 2024
1 parent eae9ed7 commit 5f26f8e
Showing 1 changed file with 20 additions and 4 deletions.
24 changes: 20 additions & 4 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 5f26f8e

Please sign in to comment.