Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo: update h2 to 0.3.26 to fix HTTP/2 CONTINUATION flood #54

Merged
merged 2 commits into from
Apr 5, 2024
Merged

Cargo: update h2 to 0.3.26 to fix HTTP/2 CONTINUATION flood #54

merged 2 commits into from
Apr 5, 2024

Conversation

dongsupark
Copy link
Member

@dongsupark dongsupark commented Apr 5, 2024
edited
Loading

Update h2 to 0.3.26, to address HTTP/2 CONTINUATION flood issues.
Update related crates as well, reqwest to 0.11.26, hyper to 0.14.28, which are only patchlevel updates.

See also https://rustsec.org/advisories/RUSTSEC-2024-0332.html, https://nowotarski.info/http2-continuation-flood/, https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

@dongsupark
Cargo: update h2 to v0.3.26 to fix HTTP/2 CONTINUATION flood
5f98253 
Update h2 to v0.3.26, to address HTTP/2 CONTINUATION flood issues.
Update related crates as well, reqwest to 0.11.26, hyper to 0.14.28,
which are only patchlevel updates.

See also https://rustsec.org/advisories/RUSTSEC-2024-0332.html,
https://nowotarski.info/http2-continuation-flood/,
https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
@dongsupark
Copy link
Member Author

CI fails during clippy, which is a different issue happening also in trunk.

@pothos
Copy link
Member

pothos commented Apr 5, 2024

To fix that we need to bump uuid:

diff --git a/Cargo.toml b/Cargo.toml
index 5dda2de..97ed81b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -17,7 +17,7 @@ reqwest = { version = "0.11", features = ["blocking"] }
 sha2 = "0.10"
 tempfile = "3.8.1"
 url = "2"
-uuid = "1.2"
+uuid = "1.8"
 
 [dependencies.hard-xml]
 path = "vendor/hard-xml"
diff --git a/omaha/Cargo.toml b/omaha/Cargo.toml
index ef24690..9bc5170 100644
--- a/omaha/Cargo.toml
+++ b/omaha/Cargo.toml
@@ -6,7 +6,7 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-uuid = "1.2"
+uuid = "1.8"
 ct-codecs = "1"
 url = "2"
 anyhow = "1.0.75"

(plus updating the .lock file)
Can you push this as commit?

@dongsupark
Copy link
Member Author

@pothos CI passed. Thanks!

@pothos
Copy link
Member

pothos commented Apr 5, 2024
edited
Loading

I think we also should update the .toml files because the .lock file gets recreated, or?
Currently we only require uuid 1.2, but I think we should require 1.8.

@dongsupark
Cargo: update uuid to 1.8 to fix clippy failures
5452456 
Clippy of Rust 1.77 or newer started checking out of bounds strictly,
so clippy started failing with uuid 1.6 or older. Update clippy to
the latest version to fix that.

See also uuid-rs/uuid#721.

Debugged-by @pothos.
@dongsupark dongsupark merged commit 9b6ddb0 into flatcar:trunk Apr 5, 2024
1 check passed
@dongsupark dongsupark deleted the update-h2-0.3.26 branch April 5, 2024 13:17
dongsupark added a commit to flatcar/scripts that referenced this pull request Apr 12, 2024
@dongsupark
coreos-base/ue-rs: bump h2, mio
30ec9cc 
Update to 9b6ddb0226208450bcef9da4ac5ba8bc2a47a87c (2024-04-05), mainly
to address security issues in Rust crates.

Pulls in:
flatcar/ue-rs#51
flatcar/ue-rs#52
flatcar/ue-rs#53
flatcar/ue-rs#54
@dongsupark dongsupark mentioned this pull request Apr 12, 2024
Merged
1 task
@github-actions github-actions bot mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pothos pothos pothos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dongsupark @pothos