Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update http to v0.1.21 #412

Merged
merged 2 commits into from
Jan 23, 2020
Merged

Update http to v0.1.21 #412

merged 2 commits into from
Jan 23, 2020

Conversation

olix0r
Copy link
Member

@olix0r olix0r commented Jan 23, 2020

Fixes two potential Denial-of-Service issues:

ID:       RUSTSEC-2019-0033
Crate:    http
Version:  0.1.16
Date:     2019-11-16
URL:      https://rustsec.org/advisories/RUSTSEC-2019-0033
Title:    Integer Overflow in HeaderMap::reserve() can cause Denial of Service
Solution:  upgrade to >= 0.1.20

ID:       RUSTSEC-2019-0034
Crate:    http
Version:  0.1.16
Date:     2019-11-16
URL:      https://rustsec.org/advisories/RUSTSEC-2019-0034
Title:    HeaderMap::Drain API is unsound
Solution:  upgrade to >= 0.1.20

@olix0r
Update http to v0.1.21
edb547b 
Fixes two potential Denial-of-Service issues:

    ID:       RUSTSEC-2019-0033
    Crate:    http
    Version:  0.1.16
    Date:     2019-11-16
    URL:      https://rustsec.org/advisories/RUSTSEC-2019-0033
    Title:    Integer Overflow in HeaderMap::reserve() can cause Denial of Service
    Solution:  upgrade to >= 0.1.20

    ID:       RUSTSEC-2019-0034
    Crate:    http
    Version:  0.1.16
    Date:     2019-11-16
    URL:      https://rustsec.org/advisories/RUSTSEC-2019-0034
    Title:    HeaderMap::Drain API is unsound
    Solution:  upgrade to >= 0.1.20
@olix0r olix0r requested a review from a team January 23, 2020 16:16
@olix0r olix0r requested a review from a team January 23, 2020 17:31
@olix0r olix0r merged commit eb49e69 into master Jan 23, 2020
@olix0r olix0r deleted the ver/http-bump branch January 23, 2020 18:33
olix0r added a commit to linkerd/linkerd2 that referenced this pull request Feb 4, 2020
@olix0r
proxy: v2.85.0
9112d8c 
This release fixes a bug in the proxy's logging subsystem that could
cause the proxy to consume memory until the process is OOMKilled,
especially when the proxy was configured to log diagnostic information.

The proxy also now properly emits `grpc-status` headers when signaling
proxy errors to gRPC clients.

This release upgrades the proxy's Rust version, the `http` crate
dependency to address RUSTSEC-2019-0033 and RUSTSEC-2019-0034, and the
`prost` crate dependency has been patched to address RUSTSEC-2020-02.

---

* internal: Introduce a locking middleware (linkerd/linkerd2-proxy#408)
* Update to Rust 1.40 with new Cargo.lock format (linkerd/linkerd2-proxy#410)
* Update http to v0.1.21 (linkerd/linkerd2-proxy#412)
* internal: Split retry, http-classify, and http-metrics (linkerd/linkerd2-proxy#409)
* Actually update http to v0.1.21 (linkerd/linkerd2-proxy#413)
* patch `prost` 0.5 to pick up security fix (linkerd/linkerd2-proxy#414)
* metrics: Make Counter & Gauge atomic (linkerd/linkerd2-proxy#415)
* Set grpc-status headers on dispatch errors (linkerd/linkerd2-proxy#416)
* trace: update `tracing-subscriber` to 0.2.0-alpha.4 (linkerd/linkerd2-proxy#418)
* discover: Warn on discovery error (linkerd/linkerd2-proxy#422)
* router: Avoid large up-front allocations (linkerd/linkerd2-proxy#421)
* errors: Set correct HTTP version on responses (linkerd/linkerd2-proxy#424)
* app: initialize tracing prior to parsing env vars (linkerd/linkerd2-proxy#425)
* trace: update tracing-subscriber to 0.2.0-alpha.6 (linkerd/linkerd2-proxy#423)
@olix0r olix0r mentioned this pull request Feb 4, 2020
Merged
adleong pushed a commit to linkerd/linkerd2 that referenced this pull request Feb 4, 2020
@olix0r
proxy: v2.85.0 (#4010)
afcbebd 
This release fixes a bug in the proxy's logging subsystem that could
cause the proxy to consume memory until the process is OOMKilled,
especially when the proxy was configured to log diagnostic information.

The proxy also now properly emits `grpc-status` headers when signaling
proxy errors to gRPC clients.

This release upgrades the proxy's Rust version, the `http` crate
dependency to address RUSTSEC-2019-0033 and RUSTSEC-2019-0034, and the
`prost` crate dependency has been patched to address RUSTSEC-2020-02.

---

* internal: Introduce a locking middleware (linkerd/linkerd2-proxy#408)
* Update to Rust 1.40 with new Cargo.lock format (linkerd/linkerd2-proxy#410)
* Update http to v0.1.21 (linkerd/linkerd2-proxy#412)
* internal: Split retry, http-classify, and http-metrics (linkerd/linkerd2-proxy#409)
* Actually update http to v0.1.21 (linkerd/linkerd2-proxy#413)
* patch `prost` 0.5 to pick up security fix (linkerd/linkerd2-proxy#414)
* metrics: Make Counter & Gauge atomic (linkerd/linkerd2-proxy#415)
* Set grpc-status headers on dispatch errors (linkerd/linkerd2-proxy#416)
* trace: update `tracing-subscriber` to 0.2.0-alpha.4 (linkerd/linkerd2-proxy#418)
* discover: Warn on discovery error (linkerd/linkerd2-proxy#422)
* router: Avoid large up-front allocations (linkerd/linkerd2-proxy#421)
* errors: Set correct HTTP version on responses (linkerd/linkerd2-proxy#424)
* app: initialize tracing prior to parsing env vars (linkerd/linkerd2-proxy#425)
* trace: update tracing-subscriber to 0.2.0-alpha.6 (linkerd/linkerd2-proxy#423)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kleimkuhler kleimkuhler kleimkuhler approved these changes

@hawkw hawkw hawkw approved these changes

@seanmonstar seanmonstar seanmonstar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@olix0r @seanmonstar @hawkw @kleimkuhler