SwiftNIO HTTP/2 versions 1.0.0 up to and including 1.19.1 are affected by three denial of service security vulnerabilities. These were discovered by OSS-Fuzz.
Please update any dependency on SwiftNIO HTTP/2 to 1.19.2 or newer:
.package(url: "https://github.com/apple/swift-nio-http2.git", from: "1.19.2")
Details of the vulnerabilties are available on their respective GitHub security advisories:
Things like this are why I've become such a fuzzing fanboy. It finds so many hidden issues like these before they become problems in production, but it's still a bit under-rated.
Even if you don't have the computational resources of a project like OSS-Fuzz, it's still worth doing. IMO every complex library should consider adding at least a couple of fuzz-targets, to verify the things that are difficult to test any other way.
@Karl - How does one get started with fuzzing - I've found a few blog posts and such out there, but I didn't find it clear how to incorporate LLVM's fuzzer with anything higher level in swift. On top of that, I saw a couple of mentions about how the LLVM fuzzer wasn't included in the current toolchains - implying I needed to build swift some source to get it all operational?
Where can I learn more?
Happy move this to another thread to not lean on the SwiftNIO notice.