Update Rust crate hyper to 0.14 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
hyper (source)	dependencies	minor	0.10 → 0.14

GitHub Vulnerability Alerts

CVE-2021-32715

Summary

hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks".

Vulnerability

The flaw exists in all prior versions of hyper, if built with rustc v1.5.0 or newer.

Example:

GET / HTTP/1.1
Host: example.com
Content-Length: +3

abc

This request gets accepted and hyper reads the body as abc. The request should be rejected, according to RFC 7230, since the ABNF for Content-Length only allows for DIGITs. This is due to using the FromStr implementation for u64 in the standard library. By differing from the spec, it is possible to send requests like these to endpoints that have different HTTP implementations, with different interpretations of the payload semantics, and cause "desync attacks".

In this particular case, an upstream proxy would need to error when parsing the Content-Length, but not reject the request (swallowing its own error), and forwarding the request as-is with the Content-Length still included. Then the upstream proxy and hyper would disagree on the length of the request body. The combination of these factors would be extremely rare.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable, all these things must be true:

• Using hyper as an HTTP server. While the lenient decoder also exists in the client, a vulnerability does not exist around responses.
• Using HTTP/1. The HTTP/2 code uses a stricter parser.
• Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal Content-Length header, OR can parse the length with the plus sign, the desync attack cannot succeed.

Patches

We have released the following patch versions:

• v0.14.10 (to be released when this advisor is published)

Workarounds

Besides upgrading hyper, you can take the following options:

• Reject requests manually that contain a plus sign prefix in the Content-Length header.
• Ensure any upstream proxy handles Content-Length headers with a plus sign prefix.

Credits

This issue was initially reported by Mattias Grenfeldt and Asta Olofsson.

CVE-2021-32714

Summary

hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks".

Vulnerability

Example:

GET / HTTP/1.1
Host: example.com
Transfer-Encoding: chunked

f0000000000000003
abc
0

hyper only reads the rightmost 64-bit integer as the chunk size. So it reads f0000000000000003 as 3. A loss of data can occur since hyper would then read only 3 bytes of the body. Additionally, an HTTP request smuggling vulnerability would occur if using a proxy which instead has prefix truncation in the chunk size, or that understands larger than 64-bit chunk sizes.

Read more about desync attacks: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

Impact

To determine if vulnerable to data loss, these things must be true:

• Using HTTP/1.1. Since HTTP/2 does not use chunked encoding, it is not vulnerable.
• Using hyper as a server or client. The body would be improperly truncated in either case.
• Users send requests or responses with chunk sizes greater than 18 exabytes.

To determine if vulnerable to desync attacks, these things must be true:

• Using an upstream proxy that allows chunks sizes larger than 64-bit. If the proxy rejects chunk sizes that are too large, that request won't be forwarded to hyper.

Patches

We have released the following patch versions:

• v0.14.10 (to be released when this advisory is published)

Workarounds

Besides upgrading hyper, you can take the following options:

• Reject requests manually that contain a Transfer-Encoding header.
• Ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers.

Credits

This issue was initially reported by Mattias Grenfeldt and Asta Olofsson.

GHSA-f67m-9j94-qv9j

Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate).
This is unsound, since Header contains references and thus must be non-null.

The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.

---

Release Notes

hyperium/hyper (hyper)

v0.14.12

Compare Source

Bug Fixes

• ffi: on_informational callback had no headers (39b6d01a)
• http1: apply header title case for consecutive dashes (#​2613) (684f2fa7)
• http2: improve errors emitted by HTTP2 Upgraded stream shutdown (#​2622) (be08648e)

Features

• client: expose http09 and http1 options on client::conn::Builder (#​2611) (73bff4e9, closes #​2461)

v0.14.11

Compare Source

Bug Fixes

• client: retry when pool checkout returns closed HTTP2 connection (#​2585) (52214f39)
• http2:
  • improve I/O errors emitted by H2Upgraded (#​2598) (f51c677d)
  • preserve proxy-authenticate and proxy-authorization headers (#​2597) (52435701)

Features

• ffi: add hyper_request_on_informational (25d18c0b)

v0.14.10

Compare Source

Bug Fixes

• http1:
  • reject content-lengths that have a plus sign prefix (06335158)
  • protect against overflow in chunked decoder (efd9a982)

Features

• ffi: add option to get raw headers from response (8c89a8c1)

v0.14.9

Compare Source

Bug Fixes

• http1: reduce memory used with flatten write strategy (eb0c6463)

v0.14.8

Compare Source

Features

• client: allow to config http2 max concurrent reset streams (#​2535) (b9916c41)
• error: add Error::is_parse_too_large and Error::is_parse_status methods (#​2538) (960a69a5)
• http2:
  • Implement Client and Server CONNECT support over HTTP/2 (#​2523) (5442b6fa, closes #​2508)
  • allow HTTP/2 requests by ALPN when http2_only is unset (#​2527) (be9677a1)

Performance

• http2: reduce amount of adaptive window pings as BDP stabilizes (#​2550) (4cd06bf2)

v0.14.7

Compare Source

Bug Fixes

• http1: http1_title_case_headers should move Builder (a303b3c3)

Features

• server: implement forgotten settings for case preserving (4fd6c4cb)

v0.14.6

Compare Source

Features

• client: add option to allow misplaced spaces in HTTP/1 responses (#​2506) (11345394)
• http1: add options to preserve header casing (#​2480) (dbea7716, closes #​2313)

v0.14.5

Compare Source

Bug Fixes

• client: omit default port from automatic Host headers (#​2441) (0b11eee9)
• headers: Support multiple Content-Length values on same line (#​2471) (48fdaf16, closes #​2470)
• server: skip automatic Content-Length headers when not allowed (#​2216) (8cbf9527, closes #​2215)

Features

• client: allow HTTP/0.9 responses behind a flag (#​2473) (68d4e4a3, closes #​2468)
• server: add AddrIncoming::from_listener constructor (#​2439) (4c946af4)

v0.14.4

Compare Source

Bug Fixes

• build: Fix compile error when only http1 feature was enabled.

v0.14.3

Compare Source

Bug Fixes

• client: HTTP/1 client "Transfer-Encoding" repair code would panic (#​2410) (2c8121f1, closes #​2409)
• http1: fix server misinterpreting multiple Transfer-Encoding headers (8f93123e)

Features

• body:
  • reexport hyper::body::SizeHint (#​2404) (9956587f)
  • add send_trailers to Body channel's Sender (#​2387) (bf8d74ad, closes #​2260)
• ffi:
  • add HYPERE_INVALID_PEER_MESSAGE error code for parse errors (1928682b)
  • Initial C API for hyper (3ae1581a)

v0.14.2

Compare Source

Features

• client: expose connect types without proto feature (#​2377) (73a59e5f)
• server: expose Accept without httpX features (#​2382) (a6d4fcbe)

v0.14.1

Compare Source

Bug Fixes

• http1: fix preserving header case without enabling ffi (#​2820) (6a35c175)
• server: don't add implicit content-length to HEAD responses (#​2836) (67b73138)

Features

• server:
  • add Connection::http2_max_header_list_size option (#​2828) (a32658c1, closes #​2826)
  • add AddrStream::local_addr() (#​2816) (ffbf610b, closes #​2773)

Breaking Changes

• ffi (unstable):
  • hyper_clientconn_options_new no longer sets the http1_preserve_header_case connection option by default.
    Users should now call hyper_clientconn_options_set_preserve_header_case if they desire that functionality. (78de8914)

v0.14.0

Compare Source

Bug Fixes

• client: log socket option errors instead of returning error (#​2361) (dad5c879, closes #​2359)
• http1:
  • ignore chunked trailers (#​2357) (1dd761c8, closes #​2171)
  • ending close-delimited body should close (#​2322) (71f34024)

Features

• client:
  • change DNS Resolver to resolve to SocketAddrs (#​2346) (b4e24332, closes #​1937)
  • Make client an optional feature (4e55583d)
• http1: Make HTTP/1 support an optional feature (2a19ab74)
• http2: Make HTTP/2 support an optional feature (b819b428)
• lib:
  • Upgrade to Tokio 1.0, Bytes 1.0, http-body 0.4 (#​2369) (fad42acc, closes #​2370)
  • remove dependency on tracing's log feature (#​2342) (db32e105, closes #​2326)
  • disable all optional features by default (#​2336) (ed2b22a7)
• server: Make the server code an optional feature (#​2334) (bdb5e5d6)
• upgrade: Moved HTTP upgrades off Body to a new API (#​2337) (121c3313, closes #​2086)

Breaking Changes

• hyper depends on tokio v1 and bytes v1.

• Custom resolvers used with HttpConnector must change
  to resolving to an iterator of SocketAddrs instead of IpAddrs.
  (b4e24332)

• hyper no longer emits log records automatically.
  If you need hyper to integrate with a log logger (as opposed to tracing),
  you can add tracing = { version = "0.1", features = ["log"] } to activate them.
  (db32e105)

• Removed http1_writev methods from client::Builder,
  client::conn::Builder, server::Builder, and server::conn::Builder.

  Vectored writes are now enabled based on whether the AsyncWrite
  implementation in use supports them, rather than though adaptive
  detection. To explicitly disable vectored writes, users may wrap the IO
  in a newtype that implements AsyncRead and AsyncWrite and returns
  false from its AsyncWrite::is_write_vectored method.
  (d6aadb83)

• The method Body::on_upgrade() is gone. It is
  essentially replaced with hyper::upgrade::on(msg).
  (121c3313)

• All optional features have been disabled by default.
  (ed2b22a7)

• The HTTP server code is now an optional feature. To
  enable the server, add features = ["server"] to the dependency in
  your Cargo.toml.
  (bdb5e5d6)

• The HTTP client of hyper is now an optional feature. To
  enable the client, add features = ["client"] to the dependency in
  your Cargo.toml.
  (4e55583d)

• This puts all HTTP/1 methods and support behind an
  http1 cargo feature, which will not be enabled by default. To use
  HTTP/1, add features = ["http1"] to the hyper dependency in your
  Cargo.toml.

(2a19ab74)

• This puts all HTTP/2 methods and support behind an
  http2 cargo feature, which will not be enabled by default. To use
  HTTP/2, add features = ["http2"] to the hyper dependency in your
  Cargo.toml.

(b819b428)

v0.13.9 (2020-11-02)

Bug Fixes

• client: fix panic when addrs in ConnectingTcpRemote is empty (#​2292) (01103da5, closes #​2291)
• http2: reschedule keep alive interval timer once a pong is received (2a938d96, closes #​2310)

Features

• client:
  • add HttpConnector::set_local_addresses to set both IPv6 and IPv4 local addrs ( (fb19f3a8)
  • Add accessors to Connected fields (#​2290) (2dc9768d)

v0.13.8 (2020-09-18)

Bug Fixes

• http1: return error if user body ends prematurely (1ecbcbb1, closes #​2263)

Features

• lib: Setting http1_writev(true) will now force writev queue usage (187c22af, closes #​2282)
• server: implement AsRawFd for AddrStream (#​2246) (b5d5e214, closes #​2245)

v0.13.7 (2020-07-13)

Bug Fixes

• client: don't panic in DNS resolution when task cancelled (#​2229) (0d0d3635)

Features

• client: impl tower_service::Service for &Client (#​2089) (77c3b5bc)
• http2: configure HTTP/2 frame size in the high-level builders too (#​2214) (2354a7ee)
• lib: Move from log to tracing in a backwards-compatible way (#​2204) (9832aef9)

v0.13.6 (2020-05-29)

Features

• body: remove Sync bound for Body::wrap_stream (042c7706)
• http2: allow configuring the HTTP/2 frame size (b6446456)

v0.13.5 (2020-04-17)

Bug Fixes

• server: fix panic in Connection::graceful_shutdown (fce3ddce)

v0.13.4 (2020-03-20)

Bug Fixes

• http1: try to drain connection buffer if user drops Body (d838d54f)

Features

• http2: add HTTP2 keep-alive support for client and server (9a8413d9)

v0.13.3 (2020-03-03)

Features

• client: rename client::Builder pool options (#​2142) (a82fd6c9)
• http2: add adaptive window size support using BDP (#​2138) (48102d61)
• server: add poll_peek to AddrStream (#​2127) (24d53d3f)

v0.13.2 (2020-01-29)

Bug Fixes

• body: return exactly 0 SizeHint for empty body (#​2122) (dc882047)
• client: strip path from Uri before calling Connector (#​2109) (ba2a144f)
• http1:
  • only send 100 Continue if request body is polled (c4bb4db5)
  • remove panic for HTTP upgrades that have been ignored (#​2115) (1881db63, closes #​2114)
• http2: don't add client content-length if method doesn't require it (fb90d30c)

Features

• service: Implement Clone/Copy on ServiceFn and MakeServiceFn (#​2104) (a5720fab)

v0.13.1 (2019-12-13)

Bug Fixes

• http1: fix response with non-chunked transfer-encoding to be close-delimited (cb71d2cd, closes #​2058)

Features

• body: implement HttpBody for Request and Response (4b6099c7, closes #​2067)
• client: expose hyper::client::connect::Connect trait alias (2553ea1a)

v0.13.10

Compare Source

Bug Fixes

• http1: fix server misinterpretting multiple Transfer-Encoding headers (6d9e5f9f)

  See GHSA-6hfq-h8hq-87mf

v0.13.9

Compare Source

Bug Fixes

• client: fix panic when addrs in ConnectingTcpRemote is empty (#​2292) (01103da5, closes #​2291)
• http2: reschedule keep alive interval timer once a pong is received (2a938d96, closes #​2310)

Features

• client:
  • add HttpConnector::set_local_addresses to set both IPv6 and IPv4 local addrs ( (fb19f3a8)
  • Add accessors to Connected fields (#​2290) (2dc9768d)

v0.13.8

Compare Source

Bug Fixes

• http1: return error if user body ends prematurely (1ecbcbb1, closes #​2263)

Features

• lib: Setting http1_writev(true) will now force writev queue usage (187c22af, closes #​2282)
• server: implement AsRawFd for AddrStream (#​2246) (b5d5e214, closes #​2245)

v0.13.7

Compare Source

Bug Fixes

• client: don't panic in DNS resolution when task cancelled (#​2229) (0d0d3635)

Features

• client: impl tower_service::Service for &Client (#​2089) (77c3b5bc)
• http2: configure HTTP/2 frame size in the high-level builders too (#​2214) (2354a7ee)
• lib: Move from log to tracing in a backwards-compatible way (#​2204) (9832aef9)

v0.13.6

Compare Source

Features

• body: remove Sync bound for Body::wrap_stream (042c7706)
• http2: allow configuring the HTTP/2 frame size (b6446456)

v0.13.5

Compare Source

Bug Fixes

• server: fix panic in Connection::graceful_shutdown (fce3ddce)

v0.13.4

Compare Source

Bug Fixes

• http1: try to drain connection buffer if user drops Body (d838d54f)

Features

• http2: add HTTP2 keep-alive support for client and server (9a8413d9)

v0.13.3

Compare Source

Features

• client: rename client::Builder pool options (#​2142) (a82fd6c9)
• http2: add adaptive window size support using BDP (#​2138) (48102d61)
• server: add poll_peek to AddrStream (#​2127) (24d53d3f)

v0.13.2

Compare Source

Bug Fixes

• body: return exactly 0 SizeHint for empty body (#​2122) (dc882047)
• client: strip path from Uri before calling Connector (#​2109) (ba2a144f)
• http1:
  • only send 100 Continue if request body is polled (c4bb4db5)
  • remove panic for HTTP upgrades that have been ignored (#​2115) (1881db63, closes #​2114)
• http2: don't add client content-length if method doesn't require it (fb90d30c)

Features

• service: Implement Clone/Copy on ServiceFn and MakeServiceFn (#​2104) (a5720fab)

v0.13.1

Compare Source

Bug Fixes

• http1: fix response with non-chunked transfer-encoding to be close-delimited (cb71d2cd, closes #​2058)

Features

• body: implement HttpBody for Request and Response (4b6099c7, closes #​2067)
• client: expose hyper::client::connect::Connect trait alias (2553ea1a)

v0.13.0

Compare Source

Bug Fixes

• client:
  • fix polling dispatch channel after it has closed (039281b8)
  • fix panic from unreachable code (e6027bc0)
• dependencies: require correct bytes minimum version (#​1975) (536b1e18)
• server:
  • change Builder window size methods to be by-value (a22dabd0, closes #​1814)
  • ignore expect-continue with no body in debug mode (ca5836f1, closes #​1843)
  • Remove unneeded 'static bound of Service on Connection (#​1971) (4d147126)

Features

• body:
  • change Sender::send_data to an async fn. (62a96c07)
  • require Sync when wrapping a dynamic Stream (44413721)
  • add body::aggregate and body::to_bytes functions (8ba9a8d2)
  • replace Chunk type with Bytes (5a598757, closes #​1931)
  • replace the Payload trait with HttpBody (c63728eb)
• client:
  • impl tower_service::Service for Client (edbd10ac)
  • provide tower::Service support for clients (#​1915) (eee2a728)
  • change connectors to return an impl Connection (4d7a2266)
  • remove Destination for http::Uri in connectors (319e8aee)
  • filter remote IP addresses by family of given local IP address (131962c8)
  • change Resolve to be Service<Name> (9d9233ce, closes #​1903)
  • change Connect trait into an alias for Service (d67e49f1, closes #​1902)
  • change GaiResolver to use a global blocking threadpool (049b5132)
  • Add connect timeout to HttpConnector (#​1972) (4179297a)
• lib:
  • update to std::future::Future (8f4b05ae)
  • add optional tcp feature, split from runtime (5b348b82)
  • make Stream trait usage optional behind the stream feature, enabled by default (0b03b730, closes #​2034)
  • update Tokio, bytes, http, h2, and http-body (cb3f39c2)
• rt: introduce rt::Executor trait (6ae5889f, closes #​1944)
• server:
  • introduce Accept trait (b3e55062)
  • give Server::local_addr a more general type (3cc93e79)
  • change http1_half_close option default to disabled (7e31fd88)
• service:
  • use tower_service::Service for hyper::service (ec520d56)
  • rename Service to HttpService, re-export tower::Service (4f274399, closes #​1959)

Breaking Changes

• All usage of async traits (Future, Stream,
  AsyncRead, AsyncWrite, etc) are updated to newer versions.

(8f4b05ae)

• All usage of hyper::Chunk should be replaced with
  bytes::Bytes (or hyper::body::Bytes).

(5a598757)

• Using a Body as a Stream, and constructing one via
  Body::wrap_stream, require enabling the stream feature.

(511ea388)

• Calls to GaiResolver::new and HttpConnector::new no
  longer should pass an integer argument for the number of threads.

(049b5132)

• Connectors no longer return a tuple of
  (T, Connected), but a single T: Connection.

(4d7a2266)

• All usage of hyper::client::connect::Destination
  should be replaced with http::Uri.

(319e8aee)

• All usage of hyper::body::Payload should be replaced
  with hyper::body::HttpBody.

(c63728eb)

• Any type passed to the executor builder methods must
  now implement hyper::rt::Executor.

  hyper::rt::spawn usage should be replaced with tokio::task::spawn.

  hyper::rt::run usage should be replaced with #[tokio::main] or
  managing a tokio::runtime::Runtime manually.

(6ae5889f)

• The Resolve trait is gone. All custom resolvers should
  implement tower::Service instead.

  The error type of HttpConnector has been changed away from
  std::io::Error.

(9d9233ce)

• Any manual implementations of Connect must instead
  implement tower::Service<Uri>.

(d67e49f1)

• The server's behavior will now by default close
  connections when receiving a read EOF. To allow for clients to close
  the read half, call http1_half_close(true) when configuring a
  server.

(7e31fd88)

• Passing a Stream to Server::builder or
  Http::serve_incoming must be changed to pass an Accept instead. The
  stream optional feature can be enabled, and then a stream can be
  converted using hyper::server::accept::from_stream.

(b3e55062)

• Usage of send_data should either be changed to
  async/await or use try_send_data.

(62a96c07)

v0.12.35 (2019-09-13)

Features

• body: identify aborted body write errors (32869224)

v0.12.34 (2019-09-04)

Bug Fixes

• client: allow client GET requests with explicit body headers (23fc8b08, closes #​1925)

v0.12.33 (2019-09-04)

v0.12.32 (2019-07-08)

Features

• client: HttpConnector: allow to set socket buffer sizes (386109c4)

v0.12.31 (2019-06-25)

v0.12.30 (2019-06-14)

Bug Fixes

• http1: force always-ready connections to yield after a few spins (8316f96d)
• http2: correctly propagate HTTP2 request cancellation (50198851)

v0.12.29 (2019-05-16)

Bug Fixes

• server: skip automatic Content-Length header for HTTP 304 responses (b342c38f, closes #​1797)

Features

• body: implement http_body::Body for hyper::Body (2d9f3490)
• client: Implement TryFrom for Destination (#​1810) (d1183a80, closes #​1808)
• server: add initial window builder methods that take self by-val (#​1817) (8b45af7f)

v0.12.28 (2019-04-29)

Bug Fixes

• client:
  • detect HTTP2 connection closures sooner (e0ec5cad)
  • fix a rare connection pool race condition (4133181b)

Features

• server: impl Sink for Body::Sender (8d70baca, closes #​1781)

v0.12.27 (2019-04-10)

Bug Fixes

• http2: fix import of h2::Reason to work on 1.26 (5680d944)

v0.12.26 (2019-04-09)

Bug Fixes

• http2: send a GOAWAY when the user's Service::poll_ready errors (42c5efc0)
• server: prohibit the length headers on successful CONNECT (d1501a0f, closes #​1783)

Features

• http2: check Error::source() for an HTTP2 error code to send in reset (fc18b680)

v0.12.25 (2019-03-01)

Bug Fixes

• client: coerce HTTP_2 requests to HTTP_11 (3a6080b1, closes #​1770)
• http2: send INTERNAL_ERROR when user's Service errors (8f926a0d)

Features

• error: implement Error::source when available (4cf22dfa, closes #​1768)
• http2: Add window size config options for Client and Server (7dcd4618, closes #​1771)
• server: add http2_max_concurrent_streams builder option (cbae4294, closes #​1772)
• service:
  • add poll_ready to Service and MakeService (#​1767) (0bf30ccc)
  • allow FnMut with service_fn (877606d5)

v0.12.24 (2019-02-11)

Bug Fixes

• client: fix panic when CONNECT request doesn't have a port (d16b2c30)

Features

• server:
  • add http1_max_buf_size in the server::Builder (#​1761) (3e9782c2)
  • add into_inner to AddrStream (#​1762) (e52f80df)

v0.12.23 (2019-01-24)

Bug Fixes

• http2: revert http2 refactor causing a client hang (9aa7e990)

Features

• client: add conn::Builder::max_buf_size() (078ed82d, closes #​1748)

v0.12.22 (2019-01-23)

Bug Fixes

• client: parse IPv6 hosts correctly in HttpConnector (c328c62e)

v0.12.21 (2019-01-15)

Features

• client:
  • add Destination::try_from_uri constructor (c809542c)
  • Add useful trait impls to Name (be5ec455)
  • add FromStr impl for Name (607c4da0)

v0.12.20 (2019-01-07)

Bug Fixes

• dependencies: disable unneeded optional tokio features (e5135dd6, closes #​1739)
• http2: don't consider an h2 send request error as canceled (cf034e99)

v0.12.19 (2018-12-18)

Bug Fixes

• rt: prevent fallback reactor thread from being created accidentally (1d253b4d)

v0.12.18 (2018-12-11)

Features

• server: add server::conn::AddrIncoming::bind constructor (2d5eabde)

v0.12.17 (2018-12-05)

Features

• error: add Error::is_connect method (01f64983)
• server:
  • add tcp_sleep_on_accept_errors builder method (a6fff13a, closes #​1713)
  • add http1_half_close(bool) option (73345be6, closes [#​1716](https://redirect.github.com/h

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 0.14.12
    Updating crates.io index
error: failed to select a version for the requirement `hyper = "^0.10"`
candidate versions found which didn't match: 0.14.12
location searched: crates.io index
required by package `hyper-native-tls v0.3.0`
    ... which satisfies dependency `hyper-native-tls = "^0.3.0"` (locked to 0.3.0) of package `kubecfg v0.2.0 (/tmp/renovate/repos/github/anguslees/kubecfg)`
perhaps a crate was updated and forgotten to be re-vendored?