Hi, I am funded by Freexian SARL and thus reporting about my work in October 2023.
I reviewed the patch for CVE-2023-44487 in h2o backported by Anton Gladky regarding the ABI break in the shared library. Here, the difficulty arises from the need to add runtime state to an exported structure (which thus changes size) in order to mitigate the denial of service condition when the structure in question is typically user-allocated. Hence changing it would incur an out-of-bounds memory access. Helmut
