CVE-2022-31394

[uncomfyhalomacro]

Source: https://bugzilla.opensuse.org/show_bug.cgi?id=1208561
Related bugzilla report: https://bugzilla.opensuse.org/show_bug.cgi?id=1208551

[pkgw]

Thanks for mentioning this.

I am not sure if this issue affects Tectonic in practice. We only use hyper as a server in the test suite, where the version requirement in the toplevel Cargo.toml is only for version 0.12 (which still lacks this HTTP/2 max_header_list_size parameter).

We use hyper as a client in the main program through the reqwest library; the current version in the lockfile is 0.14.23, which contains the new API associated with this report. I don't know if reqwest does anything with this API. Based on the discussion in hyperium/hyper#2826, it sounds as if Tectonic's current behavior should not pose any problems.

That being said, it would not hurt to update the hyper dependency in the test suite to stay in sync with newer versions and potentially avoid some automated security reports.

[uncomfyhalomacro]

I agree that it's just the crate and not tectonic. I opened this for compliance and to help remove the bug report in bugzilla.

Thanks for the response though!

[pkgw]

Well, I want to make sure that we are on top of any security concerns even if they're formalities. Please let me know if we can take any steps to keep things tidy here.