Bump github.com/v2fly/v2ray-core/v4 from 4.43.0 to 4.45.2

[dependabot[bot]]

trafficstars

Bumps github.com/v2fly/v2ray-core/v4 from 4.43.0 to 4.45.2.

Release notes

Sourced from github.com/v2fly/v2ray-core/v4's releases.

v4.45.2

This release includes security enhancement for all users.

!!! Important SECURITY enhancement !!!

• Fix DoS attack vulnerability in VMess Option Processing. (Thanks @​nekohasekai )

Security Advisory

This update fixes a DoS vulnerability in V2Ray. This vulnerability allows a VMess Client with authentication information controlled by an attacker to crash a VMess Server by sending a specially crafted VMess handshake message with an invalid option or encryption type. This vulnerability does NOT allow the attacker to retrieve any information(other than it used an unpatched version of the software) and does NOT allow an attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank @​nekohasekai for the discovery of this vulnerability.

此更新修复了在 V2Ray 中的一个拒绝服务攻击漏洞。这个漏洞允许攻击者控制的拥有认证信息的 VMess 客户端迫使 VMess 服务器端崩溃。这个漏洞可以通过在 VMess 握手阶段由客户端发送一个恶意的数据包被触发，触发漏洞数据包拥有无效的选项或加密方式。 攻击者 无法 通过这个漏洞获取任何信息（除客户端尚未应用此安全更新以外），也 不会 允许攻击者控制客户端软件或系统。强烈推荐所有用户在第一时间应用本安全更新。我们在此感谢 @​nekohasekai 发现此漏洞。

Edit: Fixed a typo. Last version of this document withdrawn.

v4.45.1

This release have with withdrawn.

v4.45.0

Features

• SocksOpt Set TCP Keep Alive Parameters (#1483 Thanks @​ValdikSS)

Chores

• change scenarios tests of VMess to AEAD (Thanks @​AkinoKaede )
• bump github.com/lucas-clemente/quic-go to 0.27.0 (Thanks @​AkinoKaede )

Notice

Due to increase in size of the geoip.dat file recently, devices with insufficient ROM/RAM are experiencing difficulties in using V2Ray. The solution is as follows:

• For RAM insufficient devices: Enable the Geodata loader optimized for memory-constrained devices by setting the environment variable V2RAY_CONF_GEOLOADER to value memconservative. For more details, see documentation.
• For ROM insufficient devices:
  • Use the newly added GeoIP file geoip-only-cn-private.dat in the zip package or download it from release page, which only contains GeoIP list geoip:cn and geoip:private, or
  • Customize your own GeoIP file via project v2fly/geoip.

v4.44.0

This release includes security enhancement for all users.

!!! Important SECURITY enhancement !!!

• Fix DoS attack vulnerability in CommandSwitchAccountFactory (CVE-2021-4070). (Thanks @​geeknik)

Fix

• Apply timeout to DNS outbound. (#1330 Thanks @​nekohasekai)

Security Advisory

This update fixes a DoS vulnerability in V2Ray. This vulnerability allows a VMess Server controlled by an attacker to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. This vulnerability does NOT allow the attacker to retrieve any information from a client other than it used an unpatched version of the software and does NOT allow attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank @​geeknik for the responsible disclosure of this vulnerability.

此更新修复了在 V2Ray 中的一个拒绝服务攻击漏洞。这个漏洞允许攻击者控制的 VMess 服务器迫使 VMess 客户端崩溃。这个漏洞可以通过在 VMess 握手阶段向客户端发送一个恶意的回复数据包被触发，触发漏洞数据包的内容是比正确内容少一个字节的 VMess 切换账户指令。 攻击者 无法 通过这个漏洞获取来自客户端任何信息（除客户端尚未应用此安全更新以外），也 不会 允许攻击者控制客户端软件或系统。强烈推荐所有用户在第一时间应用本安全更新。我们在此感谢 @​geeknik 将此漏洞负责任的披露给我们。

Important Message

V2Ray(V2Fly) will pre-release its next major version: V2Ray V5. In addition to functionality improvements, it will include a new configuration format and infrastructure changes that streamline the development of new protocols and functionalities.

... (truncated)

Commits

• 1c6e4bb update version
• 63d9bd2 update version
• 9132f94 Fix DoS attack vulnerability in VMess Option Processing
• 6dce0d9 Fix: format & lint (#1759)
• fcc5715 update version
• 0e01f58 Reformat go.mod
• 7c76868 Chore: change scenarios tests of VMess to AEAD
• 072fa3e Chore: bump github.com/lucas-clemente/quic-go from 0.26.0 to 0.27.0 (#1716)
• 386ca0b Update dependency version
• d0c6f86 Separate TcpKeepAliveIdle and TcpKeepAliveInterval check logic
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)