fix(deps): update module github.com/pion/dtls/v2 to v2.2.4 [security] #680
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Generated by renovateBot
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.1.3->v2.2.4GitHub Vulnerability Alerts
GHSA-hxp2-xqf3-v83h
Impact
When attempting to unmarshal a Server Hello request we could attempt to unmarshal into a buffer that was too small. This could result in a panic leading the program to crash.
This issue could be abused to cause a denial of service.
Workaround
None
GHSA-4xgv-j62q-h3rj
Impact
During the unmarshalling of a hello verify request we could try to unmarshal into too small a buffer. is could result in a panic leading the program to crash.
This issue could be abused to cause a denial of service.
Workaround
None, upgrade to 2.2.4
CVE-2022-29189
Impact
A buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or times out. An attacker could exploit this to cause excessive memory usage.
Patches
Upgrade to Pion DTLS v2.1.4
Workarounds
No workarounds available, upgrade to Pion DTLS v2.1.4
References
Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.
For more information
If you have any questions or comments about this advisory:
CVE-2022-29190
Impact
An attacker can send packets that will send Pion DTLS into an infinite loop when processing.
Patches
Upgrade to Pion DTLS v2.1.4
Workarounds
No workarounds available, upgrade to Pion DTLS v2.1.4
References
Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.
For more information
If you have any questions or comments about this advisory:
CVE-2022-29222
Impact
A DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it.
This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to v2.1.5
Patches
Upgrade to Pion DTLS v2.1.5
Workarounds
No workarounds available, upgrade to Pion DTLS v2.1.5
References
Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.
For more information
If you have any questions or comments about this advisory:
Release Notes
pion/dtls
v2.2.4Compare Source
Security
This release contains 2 patches by @nerd2 from Motorola Solutions that could lead to panics at runtime. We'd like to thank Sam for finding and responsibly disclosing the vulnerabilities to @pion/security.
Changelog
9e922d5Add fuzz tests for handshakea50d26cFix panic unmarshalling hello verify request7a14903Fix OOB read in server hellov2.2.3Compare Source
Changelog
8b8bc87Update module github.com/pion/udp to v0.1.4v2.2.2Compare Source
Changelog
0473adfAdd SkipHelloVerify option to dTLS11ea8c2Update module golang.org/x/crypto to v0.5.0f3c7b2dUpdate module golang.org/x/net to v0.5.03dca8e4Update github.com/pion/transport to v23606b0dUse Go's built-in fuzzing tool instead of go-fuzzb122250Update CI configs to v0.10.36aaf97cFix fuzzing of recordLayer3a6f531Update CI configs to v0.10.1d0f27feUpdate module github.com/pion/udp to v0.1.2205e480Update CI configs to v0.9.0f40c61dUpdate hash name check to be case insensitive3026357Update module golang.org/x/crypto to v0.4.008c3602Update module golang.org/x/net to v0.4.05e7f90fUpdate CI configs to v0.8.1c21afb8Ignore lint error on Subjects() deprecation0b11454Update module golang.org/x/crypto to v0.3.0265bf7aUpdate module golang.org/x/net to v0.2.0f4896b5Update module github.com/pion/transport to v0.14.11209570Update module github.com/pion/transport to v0.14.08eed8edUpdate module golang.org/x/crypto to v0.1.04ae7e13Update CI configs to v0.8.0984d41bUpdate golang.org/x/net digest to107f3e3aabc687Update golang.org/x/crypto digest toeccd6364f8fa1eUpdate golang.org/x/crypto digest toc86fa9a980895fUpdate golang.org/x/net digest to83b083ea04cfccImplement GetCertificate and GetClientCertificate43968a2Close connection when handshake timeout occursb8ebc62Set e2e/Dockerfile to golang:1.18-bullseye82c1271Implement VerifyConnection as is in tls.Configde299f5Make the Elliptic curves and order configurable66ec820Update golang.org/x/net digest to69896b7194c03aUpdate golang.org/x/crypto digest to05595930dd0f95Update module github.com/pion/transport to v0.13.10d729a7Update golang.org/x/net digest toc9606754589ddfUpdate golang.org/x/crypto digest to793ad66fa5afe3Update CI configs to v0.7.102d27879Fix KeyUsage on x509 template74571b5Fix CertificateVerify fored2551989cd8aeUpdate CI configs to v0.7.984b65adUpdate CI configs to v0.7.810d3c06Consolidate signaturehash tests189d384EnableED25519E2E testsba33f3dUse full image referencev2.2.1Compare Source
Changelog
0473adfAdd SkipHelloVerify option to dTLS11ea8c2Update module golang.org/x/crypto to v0.5.0f3c7b2dUpdate module golang.org/x/net to v0.5.03dca8e4Update github.com/pion/transport to v23606b0dUse Go's built-in fuzzing tool instead of go-fuzzb122250Update CI configs to v0.10.36aaf97cFix fuzzing of recordLayer3a6f531Update CI configs to v0.10.1d0f27feUpdate module github.com/pion/udp to v0.1.2205e480Update CI configs to v0.9.0f40c61dUpdate hash name check to be case insensitive3026357Update module golang.org/x/crypto to v0.4.008c3602Update module golang.org/x/net to v0.4.05e7f90fUpdate CI configs to v0.8.1c21afb8Ignore lint error on Subjects() deprecation0b11454Update module golang.org/x/crypto to v0.3.0265bf7aUpdate module golang.org/x/net to v0.2.0f4896b5Update module github.com/pion/transport to v0.14.11209570Update module github.com/pion/transport to v0.14.08eed8edUpdate module golang.org/x/crypto to v0.1.04ae7e13Update CI configs to v0.8.0984d41bUpdate golang.org/x/net digest to107f3e3aabc687Update golang.org/x/crypto digest toeccd6364f8fa1eUpdate golang.org/x/crypto digest toc86fa9a980895fUpdate golang.org/x/net digest to83b083ea04cfccImplement GetCertificate and GetClientCertificate43968a2Close connection when handshake timeout occursb8ebc62Set e2e/Dockerfile to golang:1.18-bullseye82c1271Implement VerifyConnection as is in tls.Configde299f5Make the Elliptic curves and order configurable66ec820Update golang.org/x/net digest to69896b7194c03aUpdate golang.org/x/crypto digest to05595930dd0f95Update module github.com/pion/transport to v0.13.10d729a7Update golang.org/x/net digest toc9606754589ddfUpdate golang.org/x/crypto digest to793ad66fa5afe3Update CI configs to v0.7.102d27879Fix KeyUsage on x509 template74571b5Fix CertificateVerify fored2551989cd8aeUpdate CI configs to v0.7.984b65adUpdate CI configs to v0.7.810d3c06Consolidate signaturehash tests189d384EnableED25519E2E testsba33f3dUse full image referencev2.2.0Compare Source
Changelog
5f48042Use Go's built-in fuzzing tool instead of go-fuzzb122250Update CI configs to v0.10.36aaf97cFix fuzzing of recordLayer3a6f531Update CI configs to v0.10.1d0f27feUpdate module github.com/pion/udp to v0.1.2205e480Update CI configs to v0.9.0f40c61dUpdate hash name check to be case insensitive3026357Update module golang.org/x/crypto to v0.4.008c3602Update module golang.org/x/net to v0.4.05e7f90fUpdate CI configs to v0.8.1c21afb8Ignore lint error on Subjects() deprecation0b11454Update module golang.org/x/crypto to v0.3.0265bf7aUpdate module golang.org/x/net to v0.2.0f4896b5Update module github.com/pion/transport to v0.14.11209570Update module github.com/pion/transport to v0.14.08eed8edUpdate module golang.org/x/crypto to v0.1.04ae7e13Update CI configs to v0.8.0984d41bUpdate golang.org/x/net digest to107f3e3aabc687Update golang.org/x/crypto digest toeccd6364f8fa1eUpdate golang.org/x/crypto digest toc86fa9a980895fUpdate golang.org/x/net digest to83b083ea04cfccImplement GetCertificate and GetClientCertificate43968a2Close connection when handshake timeout occursb8ebc62Set e2e/Dockerfile to golang:1.18-bullseye82c1271Implement VerifyConnection as is in tls.Configde299f5Make the Elliptic curves and order configurable66ec820Update golang.org/x/net digest to69896b7194c03aUpdate golang.org/x/crypto digest to05595930dd0f95Update module github.com/pion/transport to v0.13.10d729a7Update golang.org/x/net digest toc9606754589ddfUpdate golang.org/x/crypto digest to793ad66fa5afe3Update CI configs to v0.7.102d27879Fix KeyUsage on x509 template74571b5Fix CertificateVerify fored2551989cd8aeUpdate CI configs to v0.7.984b65adUpdate CI configs to v0.7.810d3c06Consolidate signaturehash tests189d384EnableED25519E2E testsba33f3dUse full image referencev2.1.5Compare Source
This release includes fixes for a security issue reported by the Mattermost security team. We'd like to thank them for the responsible disclosure and urge any consumers of the DTLS package to update.
v2.1.4Compare Source
This release includes fixes for two security issues reported by the Mattermost security team. We'd like to thank them for the responsible disclosure and urge any consumers of the DTLS package to update.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.