Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update rust crate tungstenite to 0.20.0 [security] #18

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update rust crate tungstenite to 0.20.0 [security] #18

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2023
edited
Loading

This PR contains the following updates:

Package Type Update Change
tungstenite dependencies minor 0.18.0 -> 0.20.0

GitHub Vulnerability Alerts

CVE-2023-43669

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).

Release Notes

snapview/tungstenite-rs (tungstenite)

v0.20.1

Compare Source

v0.20.0

Compare Source

  • Remove many implicit flushing behaviours. In general reading and writing messages will no
    longer flush until calling flush. An exception is automatic responses (e.g. pongs)
    which will continue to be written and flushed when reading and writing.
    This allows writing a batch of messages and flushing once, improving performance.
  • Add WebSocket::read, write, send, flush. Deprecate read_message, write_message, write_pending.
  • Add FrameSocket::read, write, send, flush. Remove read_frame, write_frame, write_pending.
    Note: Previous use of write_frame may be replaced with send.
  • Add WebSocketContext::read, write, flush. Remove read_message, write_message, write_pending.
    Note: Previous use of write_message may be replaced with write + flush.
  • Remove send_queue, replaced with using the frame write buffer to achieve similar results.
    • Add WebSocketConfig::max_write_buffer_size. Deprecate max_send_queue.
    • Add Error::WriteBufferFull. Remove Error::SendQueueFull.
      Note: WriteBufferFull returns the message that could not be written as a Message::Frame.
  • Add ability to buffer multiple writes before writing to the underlying stream, controlled by
    WebSocketConfig::write_buffer_size (default 128 KiB). Improves batch message write performance.
  • Panic on receiving invalid WebSocketConfig.

v0.19.0

Compare Source

  • Update TLS dependencies.
  • Exchanging base64 for data-encoding.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/crate-tungstenite-vulnerability branch from c8aa137 to da4fb00 Compare December 6, 2023 11:17
@renovate renovate bot changed the title fix(deps): update rust crate tungstenite to 0.20.1 [security] fix(deps): update rust crate tungstenite to 0.20.0 [security] Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants