Skip to content
This repository was archived by the owner on Jan 22, 2025. It is now read-only.

deps: Upgrades h2 due to security advisory #34816

Merged
t-nelson merged 1 commit into from
Jan 18, 2024
Merged

deps: Upgrades h2 due to security advisory #34816

t-nelson merged 1 commit into from
Jan 18, 2024

Conversation

@brooksprumo
Copy link
Contributor

@brooksprumo brooksprumo commented Jan 17, 2024

Problem

The h2 crate has a security advisory1:

+ cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0001 --ignore RUSTSEC-2022-0093
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 589 security advisories (from /usr/local/cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (798 crate dependencies)
Crate:     h2
Version:   0.3.18
Title:     Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Date:      2024-01-17
ID:        RUSTSEC-2024-0003
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0003
Solution:  Upgrade to ^0.3.24 OR >=0.4.2
Dependency tree:
h2 0.3.18

Summary of Changes

I ran cargo update h2 --workspace to update h2

Footnotes

  1. https://rustsec.org/advisories/RUSTSEC-2024-0003

@brooksprumo brooksprumo self-assigned this Jan 17, 2024
@joncinque joncinque mentioned this pull request Jan 17, 2024
Merged
@CriesofCarrots CriesofCarrots marked this pull request as ready for review January 18, 2024 00:06
@t-nelson
Copy link
Contributor

t-nelson commented Jan 18, 2024

passed locally. merging on yellow to unblock master

@t-nelson t-nelson merged commit 0e8f2de into solana-labs:master Jan 18, 2024
@CriesofCarrots CriesofCarrots mentioned this pull request Jan 18, 2024
Merged
@brooksprumo brooksprumo deleted the h2 branch January 18, 2024 02:11
@gregcusack gregcusack mentioned this pull request Jan 22, 2024
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@CriesofCarrots CriesofCarrots CriesofCarrots approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@brooksprumo brooksprumo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brooksprumo @t-nelson @CriesofCarrots