Backport to v2.2.x: [http2] delay processing requests upon observing suspicious behavior #3293
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Backport of 94fbc54 to v2.2.x
|
thanks @rgacogne we'll be backporting this to FreeBSD as well, to support dndist, urbit, and freeswitch, which rely on libh2o from 2.2.6. |
|
Thank you for taking care of downstream projects. With the caveat that we longer maintain 2.2.x, I do not think there is a reason to not merge this PR. |
freebsd-git
pushed a commit
to freebsd/freebsd-ports
that referenced
this pull request
Oct 28, 2023
- downstream dnsdist project has backported a fix for this specific issue - deprecation is still planned, and port should not be considered secure - pet port in line with www/h2o-devel See h2o/h2o#3293 for further details Obtained from: Remi Gacogne <remi.gacogne@powerdns.com> Security: CVE-2023-44487 Security: GHSA-2m7v-gc89-fjqf
freebsd-git
pushed a commit
to freebsd/freebsd-ports
that referenced
this pull request
Oct 28, 2023
- downstream dnsdist project has backported a fix for this specific issue - deprecation is still planned, and port should not be considered secure - pet port in line with www/h2o-devel See h2o/h2o#3293 for further details Obtained from: Remi Gacogne <remi.gacogne@powerdns.com> Security: CVE-2023-44487 Security: GHSA-2m7v-gc89-fjqf (cherry picked from commit dcd7c23)
lsalvadore
pushed a commit
to lsalvadore/freebsd-ports
that referenced
this pull request
Oct 29, 2023
- downstream dnsdist project has backported a fix for this specific issue - deprecation is still planned, and port should not be considered secure - pet port in line with www/h2o-devel See h2o/h2o#3293 for further details Obtained from: Remi Gacogne <remi.gacogne@powerdns.com> Security: CVE-2023-44487 Security: GHSA-2m7v-gc89-fjqf
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi!
This is a backport of 94fbc54 from #3291 to the v2.2.x branch.
I know that all the tagged releases should be considered deprecated, and that no new version will be released in the future, therefore I don't expect this pull request to be merged. While we are transitioning from
libh2o-evlooptonghttp2in DNSdist, we unfortunately need to keep ourh2osupport alive for a little bit longer while the transition is complete, so we have been working on backporting the HTTP2 rapid reset fix on top of 2.2.6, and we decided to share the result in case it helps others.Please note that we unfortunately had to break the ABI to introduce the new timer, so this change will require a rebuild of applications dynamically linked against
libh2o.Any feedback would be of course appreciated!
Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/