Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cargo: update h2 to 0.3.26 to fix HTTP/2 CONTINUATION flood #54

Merged
merged 2 commits into from
Apr 5, 2024

Conversation

dongsupark
Copy link
Member

@dongsupark dongsupark commented Apr 5, 2024

Update h2 to 0.3.26, to address HTTP/2 CONTINUATION flood issues.
Update related crates as well, reqwest to 0.11.26, hyper to 0.14.28, which are only patchlevel updates.

See also https://rustsec.org/advisories/RUSTSEC-2024-0332.html, https://nowotarski.info/http2-continuation-flood/, https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Update h2 to v0.3.26, to address HTTP/2 CONTINUATION flood issues.
Update related crates as well, reqwest to 0.11.26, hyper to 0.14.28,
which are only patchlevel updates.

See also https://rustsec.org/advisories/RUSTSEC-2024-0332.html,
https://nowotarski.info/http2-continuation-flood/,
https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
@dongsupark
Copy link
Member Author

CI fails during clippy, which is a different issue happening also in trunk.

@pothos
Copy link
Member

pothos commented Apr 5, 2024

To fix that we need to bump uuid:

diff --git a/Cargo.toml b/Cargo.toml
index 5dda2de..97ed81b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -17,7 +17,7 @@ reqwest = { version = "0.11", features = ["blocking"] }
 sha2 = "0.10"
 tempfile = "3.8.1"
 url = "2"
-uuid = "1.2"
+uuid = "1.8"
 
 [dependencies.hard-xml]
 path = "vendor/hard-xml"
diff --git a/omaha/Cargo.toml b/omaha/Cargo.toml
index ef24690..9bc5170 100644
--- a/omaha/Cargo.toml
+++ b/omaha/Cargo.toml
@@ -6,7 +6,7 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-uuid = "1.2"
+uuid = "1.8"
 ct-codecs = "1"
 url = "2"
 anyhow = "1.0.75"

(plus updating the .lock file)
Can you push this as commit?

@dongsupark
Copy link
Member Author

@pothos CI passed. Thanks!

@pothos
Copy link
Member

pothos commented Apr 5, 2024

I think we also should update the .toml files because the .lock file gets recreated, or?
Currently we only require uuid 1.2, but I think we should require 1.8.

Clippy of Rust 1.77 or newer started checking out of bounds strictly,
so clippy started failing with uuid 1.6 or older. Update clippy to
the latest version to fix that.

See also uuid-rs/uuid#721.

Debugged-by @pothos.
@dongsupark dongsupark merged commit 9b6ddb0 into flatcar:trunk Apr 5, 2024
1 check passed
@dongsupark dongsupark deleted the update-h2-0.3.26 branch April 5, 2024 13:17
dongsupark added a commit to flatcar/scripts that referenced this pull request Apr 12, 2024
Update to 9b6ddb0226208450bcef9da4ac5ba8bc2a47a87c (2024-04-05), mainly
to address security issues in Rust crates.

Pulls in:
flatcar/ue-rs#51
flatcar/ue-rs#52
flatcar/ue-rs#53
flatcar/ue-rs#54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants