Skip to content

chore: release v0.0.5#5

Open
MagicalTux wants to merge 1 commit into
masterfrom
release-plz-2026-05-30T23-26-33Z
Open

chore: release v0.0.5#5
MagicalTux wants to merge 1 commit into
masterfrom
release-plz-2026-05-30T23-26-33Z

Conversation

@MagicalTux
Copy link
Copy Markdown
Member

@MagicalTux MagicalTux commented May 30, 2026

🤖 New release

  • rsurl: 0.0.4 -> 0.0.5
Changelog

0.0.5 - 2026-05-30

Other

  • enforce inbound flow-control window, reject peer overrun (FLOW_CONTROL_ERROR)
  • fail closed when an existing known_hosts file cannot be read (avoid silent TOFU accept-all)
  • bound filter-parser recursion depth to prevent stack-overflow DoS
  • cap packet remaining-length at 64 MiB to prevent pre-alloc memory exhaustion
  • reject backslash and percent in reg-name host (parser-differential host confusion)
  • bound status/header/chunk-size/trailer line reads to prevent server-driven OOM (DoS)
  • fix three confirmed security bugs in Set-Cookie handling
  • reject pre-TLS pipelined data before STARTTLS upgrade (CVE-2011-0411 class injection)
  • bound attacker-controlled QPACK literal lengths with checked_add (fix slice-index panic / remote DoS)

This PR was generated with release-plz.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MagicalTux