chore(deps): update rust crate h2 to v0.3.18 [security] - abandoned - autoclosed

[stackable-bot]

This PR contains the following updates:

Package	Type	Update	Change
h2	dependencies	patch	=0.3.7 -> =0.3.18

GitHub Vulnerability Alerts

CVE-2023-26964

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. Both packages incorrectly process the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

This issue affects users only when dealing with http2 connections.

---

Release Notes

hyperium/h2

v0.3.18

Compare Source

• Fix panic because of opposite check in is_remote_local().

v0.3.17

Compare Source

• Add Error::is_library() method to check if the originated inside h2.
• Add max_pending_accept_reset_streams(usize) option to client and server
  builders.
• Fix theoretical memory growth when receiving too many HEADERS and then
  RST_STREAM frames faster than an application can accept them off the queue.
  (CVE-2023-26964)

v0.3.16

Compare Source

• Set Protocol extension on requests when received Extended CONNECT requests.
• Remove B: Unpin + 'static bound requiremented of bufs
• Fix releasing of frames when stream is finished, reducing memory usage.
• Fix panic when trying to send data and connection window is available, but stream window is not.
• Fix spurious wakeups when stream capacity is not available.

v0.3.15

Compare Source

• Remove B: Buf bound on SendStream's parameter
• add accessor for StreamId u32

v0.3.14

Compare Source

• Add Error::is_reset function.
• Bump MSRV to Rust 1.56.
• Return RST_STREAM(NO_ERROR) when the server early responds.

v0.3.13

Compare Source

• Update private internal tokio-util dependency.

v0.3.12

Compare Source

• Avoid time operations that can panic (#​599)
• Bump MSRV to Rust 1.49 (#​606)
• Fix header decoding error when a header name is contained at a continuation
  header boundary (#​589)
• Remove I/O type names from handshake tracing spans (#​608)

v0.3.11

Compare Source

• Make SendStream::poll_capacity never return Ok(Some(0)) (#​596)
• Fix panic when receiving already reset push promise (#​597)

v0.3.10

Compare Source

• Add Error::is_go_away() and Error::is_remote() methods.
• Fix panic if receiving malformed PUSH_PROMISE with stream ID of 0.

v0.3.9

Compare Source

• Fix hang related to new max_send_buffer_size.

v0.3.8

Compare Source

• Add "extended CONNECT support". Adds h2::ext::Protocol, which is used for request and response extensions to connect new protocols over an HTTP/2 stream.
• Add max_send_buffer_size options to client and server builders, and a default of ~400MB. This acts like a high-water mark for the poll_capacity() method.
• Fix panic if receiving malformed HEADERS with stream ID of 0.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[stackable-bot]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.