chore(deps): update rust crate h2 to v0.3.26 [security]

[stackable-bot]

This PR contains the following updates:

Package	Type	Update	Change
h2	dependencies	patch	=0.3.18 -> =0.3.26
h2	workspace.dependencies	patch	=0.3.18 -> =0.3.26

GitHub Vulnerability Alerts

GHSA-8r5v-vm4m-4g25

An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.

This fix is corrected in hyperium/h2#737, which limits the total number of
internal error resets emitted by default before the connection is closed.

GHSA-q6cp-qfwq-4gcv

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.

---

Release Notes

hyperium/h2 (h2)

v0.3.26

Compare Source

What's Changed

• Limit number of CONTINUATION frames for misbehaving connections.

See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for more info.

v0.3.25

Compare Source

What's Changed

• perf: optimize header list size calculations by @​Noah-Kennedy in https://github.com/hyperium/h2/pull/750

Full Changelog: hyperium/h2@v0.3.24...v0.3.25

v0.3.24

Compare Source

Fixed

• Limit error resets for misbehaving connections.

v0.3.23

Compare Source

What's Changed

• cherry-pick fix: streams awaiting capacity lockout in https://github.com/hyperium/h2/pull/734

v0.3.22

Compare Source

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

v0.3.21

Compare Source

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

v0.3.20

Compare Source

• Fix panic if a server received a request with a :status pseudo header in the 1xx range.
• Fix panic if a reset stream had pending push promises that were more than allowed.
• Fix potential flow control overflow by subtraction, instead returning a connection error.

v0.3.19

Compare Source

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nightkr]

Depends on stackabletech/h2#3

[lfrancke]

@nightkr This now has conflicts

[nightkr]

The conflict should be sorted out, and this should now be R4R. Tests pass against K8s 1.25.16.

[NickLarsenNZ]

LGTM