quicssh icon indicating copy to clipboard operation
quicssh copied to clipboard

Published 20 hours ago verified publisher icon moul

fix(deps): update module github.com/quic-go/quic-go to v0.42.0 [security]

Open renovate[bot] opened this issue 1 year ago • 1 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/quic-go/quic-go v0.35.1 -> v0.42.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49295

An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

CVE-2024-22189

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/. I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.42.0

Compare Source

New Features

  • added a qlog tracer for events that happen before / outside of established connection: #​4305

Notable Changes

  • added a ClientHelloInfo.AddrVerified field: #​4360
  • move callback controlling address verification (VerifySourceAddress) to the Transport: #​4253 and #​4362
  • connections that are closed before being accepted are not removed from the server's accept queue: #​4245
  • http3: added a RoundTripOpt.CheckSettings callback to check the server's SETTINGS: #​4355
  • http3: send the HTTP/3 settings value for Extended CONNECT (RFC 9220): #​4341
  • http3: don't modify the user's quic.Config to enable QUIC datagram support: #​4340

Fixes

  • mitigate a memory exhaustion attack against QUIC's connection ID mechanism: #​4369
  • don't delay acknowledgments for packets during the handshake: #​4279
  • fix deadlock when closing both Listener and Transport: #​4332
  • fix handling of IPv4-mapped IPv6 addresses: #​4309
  • fix duplicate logging of the key_discarded event for Handshake packets: #​4274
  • send CONNECTION_REFUSED when refusing connections: #​4250
  • http3: tighten validation logic for the :protocol pseudo header: #​4261

What's Changed

New Contributors

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.41.0...v0.42.0

v0.41.0

Compare Source

New Features

  • When calling quic.Connection.SendDatagram, we now queue up to 32 DATAGRAMs before blocking this method: #​4222. This should lead to significant performance improvements for applications that send a lot of datagrams.
  • DATAGRAM frames that don't fit into a packet (at the current MTU) are now dropped: #​4221.
  • http3: The remote address (as a net.Addr) can now be obtained from the HTTP/3 request context using the http3.RemoteAddrContextKey: #​4208. Thanks to @​oncilla!
  • http3: When an http.Handler panics, the stream is now reset: #​4181. Thanks to @​WeidiDeng!
  • http3: The http3.Server now has a ConnContext function, working analogously to http.Server.ConnContext: #​4230. Thanks to @​rthellend!
  • logging: Information about the negotiated ALPN is logged using logging.ConnectionTracer.ChoseALPN: #​4216. Thanks to @​birneee!
  • qlog: The package now provides an implementation of the quic.Config.ConnectionTracer callback that reads the QLOGDIR environment variable, and writes qlogs to that directory. Thanks to @​birneee!

Breaking Changes

  • This release drops support for Go 1.20 (#​4195). We decided to support the old Go version a little bit earlier than usual (before the Go 1.22 release) this time, since this allowed us to completely remove our custom TLS fork that was necessary before crypto/tls gained QUIC support in Go 1.21. If you rely on Go 1.20, you can continue using the v0.40.1 release.
  • The DroppedPacket callback on the logging.ConnectionTracer now contains the packet number of the dropped packet, allowing for better logging of duplicate packets: #​4171

Other Changes

  • Only attempt 0-RTT resumption if the session-ticket allowed 0-RTT: #​4183
  • http3: The context cancelation error is now returned from RoundTrip: #​4203
  • http3: use the AdditionalSettings for on HTTP/3 requests: #​4156

Please support quic-go!

Is your project / company relying on quic-go? Please consider funding the project. Any support is highly appreciated!

Changelog

New Contributors

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.40.0...v0.41.0

v0.40.1

Compare Source

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.40.0...v0.40.1

v0.40.0

Compare Source

API Changes

  • Connection.{Send,Receive}Message was renamed to {Send,Receive}Datagram: #​4116
  • Closing a Listener created from a Transport doesn't close already established QUIC connections: #​4072
  • http3: the ResponseWriter now automatically discards the response body for HEAD requests: #​4115

Other Changes / Fixes

  • When using Dial (not DialEarly) now doesn't perform 0-RTT handshake, even if the session ticket allows 0-RTT: #​4125
  • ClientHellos offering TLS versions older than 1.3 are now reject (when using Go 1.20): #​4130
  • EPERM sendmsg errors (see https://github.com/golang/go/issues/63322) are now automatically caught: #​4111
  • Sending CONNECTION_REFUSED now doesn't spawn a new Go routine: #​4091
  • Sending Retry packets now doesn't spawn a new Go routine: #​4092

Please support quic-go!

Is your project / company relying on quic-go? Please consider funding the project. Any support is highly appreciated!

Changelog

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.39.0...v0.40.0

v0.39.4

Compare Source

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.39.3...v0.39.4

v0.39.3

Compare Source

This patch contains two fixes:

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.39.2...v0.39.3

v0.39.2

Compare Source

This patch release fixes the control message length for the ECN control message on Linux systems (https://github.com/quic-go/quic-go/pull/4127), which lead to sendmsg: invalid argument errors on some platforms.

v0.39.1

Compare Source

This patch release fixes the control message length for the ECN control message on FreeBSD systems (#​4110), which lead to sendmsg: invalid argument errors.

v0.39.0

Compare Source

New Features

  • quic-go now uses feeds ECN signals into its congestion controller (#​4059). ECN is used by routers to signal congestion before queues overflow (and packets are dropped). When using ECN, there are a number of failure modes, which necessitates some rather complex validation logic, see section 13.4 of RFC 9000 for details. ECN support can be disabled by setting the QUIC_GO_DISABLE_ECN environment variable to true.
  • The HTTP/3 package introduced a http3.Error, making the errors returned by the http3 package more useful, and allowing easy assertions of the HTTP/3 error codes defined in RFC 9114: #​4039

Other Changes

  • The key used to encrypt resumption tokens can now be configured using using Transport.TokenGeneratorKey: #​4066
  • The RTT is now saved in session tickets, even when not using 0-RTT, allowing for faster session resumption: #​4042
  • The reason for dial cancelations is now returned, when the context is canceled using a context.CancelCauseFunc: #​4078

When using Go 1.21, make sure to build with (at least) Go 1.21.1, as this release fixes a remote-triggered panic in crypto/tls. See the release announcement for details.

Breaking Changes

  • Config.DisableVersionNegotiationPackets was moved to the Transport: #​4047
  • Config.MaxTokenAge was moved to the Transport: #​4084
  • Config.MaxRetryTokenAge was removed. The age limit for Retry tokens is now set to twice the handshake timeout: #​4064
  • The handshake timeout is now set to twice the handshake idle timeout: #​4063. For clients, it is recommend to limit the duration of the handshake by using setting the context on the Dial call.
  • The logging.Tracer and logging.ConnectionTracer are now structs (not interfaces): #​4082

Please support quic-go!

Is your project / company relying on quic-go? Please consider funding the project. Any support is highly appreciated!

Changelog

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.38.1...v0.39.0

v0.38.2

Compare Source

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.38.1...v0.38.2

v0.38.1

Compare Source

What's Changed

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.38.0...v0.38.1

v0.38.0

Compare Source

Generic Segmentation Offload (GSO)

This release re-enables GSO by default. We shipped GSO support in v0.36.0 (see the release notes for that release for an explanation of what GSO is), but had to disable it due to problems in certain configurations and on certain platforms. We believe that we now manage to properly detect these and automatically fall back to the non-GSO code path (https://github.com/quic-go/quic-go/pull/4005). Th

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Aug 06 '24 06:08 renovate[bot]