Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

actix-http: Bump h2 to fix a resource exhaustion vulnerability #3262

Merged
merged 3 commits into from
Jan 24, 2024

Conversation

brunojppb
Copy link
Contributor

@brunojppb brunojppb commented Jan 24, 2024

PR Type

Bump h2 to fix a resource exhaustion vulnerability.

PR Checklist

  • Tests for the changes have been added / updated.
  • Documentation comments have been added / updated.
  • A changelog entry has been made for the appropriate packages.
  • Format code with the latest stable rustfmt.
  • (Team) Label with affected crates and semver status.

Overview

This has been reported by Github on one of my projects, so I thought I could just raise this upstream.

You can check the Github Advisory database entry here:
GHSA-8r5v-vm4m-4g25

CleanShot 2024-01-24 at 14 49 16@2x

@brunojppb brunojppb changed the title Actix http fix vul actix-http: Bump h2 to fix a resource exhaustion vulnerability Jan 24, 2024
@robjtede
Copy link
Member

robjtede commented Jan 24, 2024

This is usually a no-op for library crates (solved downstream with a cargo update -p=h2) but it will clear the warning on https://deps.rs/crate/actix-http/3.5.1 so happy to accept.

@robjtede robjtede added A-http project: actix-http B-semver-norelease change that does not require a release labels Jan 24, 2024
@brunojppb
Copy link
Contributor Author

This is usually a no-op for library crates (solved downstream with a cargo update -p=h2) but it will clear the warning on https://deps.rs/crate/actix-http/3.5.1 so happy to accept.

Thanks @robjtede! 🙌
Appreciate that!

@robjtede robjtede merged commit 891ab08 into actix:master Jan 24, 2024
10 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-http project: actix-http B-semver-norelease change that does not require a release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants