Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo build fails due to vulnerability in h2 #16768

Closed
afeinberg opened this issue Apr 3, 2024 · 1 comment · Fixed by #16769
Closed

cargo build fails due to vulnerability in h2 #16768

afeinberg opened this issue Apr 3, 2024 · 1 comment · Fixed by #16769
Assignees
@afeinberg
Labels
type/enhancement Type: Issue - Enhancement

Comments

@afeinberg
Copy link
Contributor

afeinberg commented Apr 3, 2024
edited

cargo build fails due to vulnerability in h2

error[vulnerability]: Degradation of service in h2 servers with CONTINUATION Flood
    ┌─ /Users/alexf/repos/tikv/Cargo.lock:165:1
    │
165 │ h2 0.3.24 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2024-0332
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0332
    = An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely.
      This results in an increase in CPU usage.

      Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
      respond to legitimate requests, albeit with increased latency.

      More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

      Patches available for 0.4.x and 0.3.x versions.
    = Solution: Upgrade to ^0.3.26 OR >=0.4.4 (try `cargo update -p h2`)
@afeinberg afeinberg added the type/enhancement Type: Issue - Enhancement label Apr 3, 2024
@afeinberg
Copy link
Contributor Author

/assign afeinberg

@afeinberg afeinberg mentioned this issue Apr 3, 2024
Merged
9 tasks
ti-chi-bot bot pushed a commit that referenced this issue Apr 4, 2024
@afeinberg
Cargo.toml: Fix h2 cargo deny issue. (#16769)
694e4ab 
close #16768

Update h2 to 0.3.26

Signed-off-by: Alex Feinberg <alex@strlen.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afeinberg afeinberg

Labels
type/enhancement Type: Issue - Enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cargo.toml: Fix h2 cargo deny issue. afeinberg/tikv
1 participant
@afeinberg