HTTP2 CVEs

[blatyo]

A number of CVE's were published yesterday that affect a lot of HTTP2 implementations. I wanted to flag them here in case ace is also vulnerable to any of them.

Relevant vulnerabilities: https://www.kb.cert.org/vuls/id/605641/
Example of some mitigations: kubernetes/ingress-nginx@333d9fd

[CrowdHailer]

At this point I think the only robust way to test this would be to try them out. Are there any tools that we can point at an Ace server and see how it manages.

Some of these issues I think would be at a lower level than Ace, but probably not all of them

[blatyo]

I'm not aware of any tools to test these things. Not sure about it being at a lower level either. I assumed since this lib implemented the server side of HTTP2, it'd be the place that fixes it. For, cowboy, these were the changes they made: ninenines/cowboy@ab44985

[CrowdHailer]

It probably is the place for most of the fixes that are required.
I still think it would be good to verify how each attack affects Ace, where possible

Probably the best thing to do would be to port the tests that were added in that commit you shared. then we would have a framework to check the fixes had worked