Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/pion/dtls/v2 to v2.2.4 [SECURITY] #154

Merged
merged 1 commit into from
May 10, 2023
Merged

Update module github.com/pion/dtls/v2 to v2.2.4 [SECURITY] #154

merged 1 commit into from
May 10, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 10, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/pion/dtls/v2 require minor v2.1.5 -> v2.2.4

GitHub Vulnerability Alerts

GHSA-hxp2-xqf3-v83h

Impact

When attempting to unmarshal a Server Hello request we could attempt to unmarshal into a buffer that was too small. This could result in a panic leading the program to crash.

This issue could be abused to cause a denial of service.

Workaround

None

GHSA-4xgv-j62q-h3rj

Impact

During the unmarshalling of a hello verify request we could try to unmarshal into too small a buffer. is could result in a panic leading the program to crash.

This issue could be abused to cause a denial of service.

Workaround

None, upgrade to 2.2.4

Release Notes

pion/dtls

v2.2.4

Compare Source

Security

This release contains 2 patches by @​nerd2 from Motorola Solutions that could lead to panics at runtime. We'd like to thank Sam for finding and responsibly disclosing the vulnerabilities to @​pion/security.

Changelog

  • 9e922d5 Add fuzz tests for handshake
  • a50d26c Fix panic unmarshalling hello verify request
  • 7a14903 Fix OOB read in server hello

v2.2.3

Compare Source

Changelog

  • 8b8bc87 Update module github.com/pion/udp to v0.1.4

v2.2.2

Compare Source

Changelog

  • 0473adf Add SkipHelloVerify option to dTLS
  • 11ea8c2 Update module golang.org/x/crypto to v0.5.0
  • f3c7b2d Update module golang.org/x/net to v0.5.0
  • 3dca8e4 Update github.com/pion/transport to v2
  • 3606b0d Use Go's built-in fuzzing tool instead of go-fuzz
  • b122250 Update CI configs to v0.10.3
  • 6aaf97c Fix fuzzing of recordLayer
  • 3a6f531 Update CI configs to v0.10.1
  • d0f27fe Update module github.com/pion/udp to v0.1.2
  • 205e480 Update CI configs to v0.9.0
  • f40c61d Update hash name check to be case insensitive
  • 3026357 Update module golang.org/x/crypto to v0.4.0
  • 08c3602 Update module golang.org/x/net to v0.4.0
  • 5e7f90f Update CI configs to v0.8.1
  • c21afb8 Ignore lint error on Subjects() deprecation
  • 0b11454 Update module golang.org/x/crypto to v0.3.0
  • 265bf7a Update module golang.org/x/net to v0.2.0
  • f4896b5 Update module github.com/pion/transport to v0.14.1
  • 1209570 Update module github.com/pion/transport to v0.14.0
  • 8eed8ed Update module golang.org/x/crypto to v0.1.0
  • 4ae7e13 Update CI configs to v0.8.0
  • 984d41b Update golang.org/x/net digest to 107f3e3
  • aabc687 Update golang.org/x/crypto digest to eccd636
  • 4f8fa1e Update golang.org/x/crypto digest to c86fa9a
  • 980895f Update golang.org/x/net digest to 83b083e
  • a04cfcc Implement GetCertificate and GetClientCertificate
  • 43968a2 Close connection when handshake timeout occurs
  • b8ebc62 Set e2e/Dockerfile to golang:1.18-bullseye
  • 82c1271 Implement VerifyConnection as is in tls.Config
  • de299f5 Make the Elliptic curves and order configurable
  • 66ec820 Update golang.org/x/net digest to 69896b7
  • 194c03a Update golang.org/x/crypto digest to 0559593
  • 0dd0f95 Update module github.com/pion/transport to v0.13.1
  • 0d729a7 Update golang.org/x/net digest to c960675
  • 4589ddf Update golang.org/x/crypto digest to 793ad66
  • fa5afe3 Update CI configs to v0.7.10
  • 2d27879 Fix KeyUsage on x509 template
  • 74571b5 Fix CertificateVerify for ed25519
  • 89cd8ae Update CI configs to v0.7.9
  • 84b65ad Update CI configs to v0.7.8
  • 10d3c06 Consolidate signaturehash tests
  • 189d384 Enable ED25519 E2E tests
  • ba33f3d Use full image reference

v2.2.1

Compare Source

Changelog

  • 0473adf Add SkipHelloVerify option to dTLS
  • 11ea8c2 Update module golang.org/x/crypto to v0.5.0
  • f3c7b2d Update module golang.org/x/net to v0.5.0
  • 3dca8e4 Update github.com/pion/transport to v2
  • 3606b0d Use Go's built-in fuzzing tool instead of go-fuzz
  • b122250 Update CI configs to v0.10.3
  • 6aaf97c Fix fuzzing of recordLayer
  • 3a6f531 Update CI configs to v0.10.1
  • d0f27fe Update module github.com/pion/udp to v0.1.2
  • 205e480 Update CI configs to v0.9.0
  • f40c61d Update hash name check to be case insensitive
  • 3026357 Update module golang.org/x/crypto to v0.4.0
  • 08c3602 Update module golang.org/x/net to v0.4.0
  • 5e7f90f Update CI configs to v0.8.1
  • c21afb8 Ignore lint error on Subjects() deprecation
  • 0b11454 Update module golang.org/x/crypto to v0.3.0
  • 265bf7a Update module golang.org/x/net to v0.2.0
  • f4896b5 Update module github.com/pion/transport to v0.14.1
  • 1209570 Update module github.com/pion/transport to v0.14.0
  • 8eed8ed Update module golang.org/x/crypto to v0.1.0
  • 4ae7e13 Update CI configs to v0.8.0
  • 984d41b Update golang.org/x/net digest to 107f3e3
  • aabc687 Update golang.org/x/crypto digest to eccd636
  • 4f8fa1e Update golang.org/x/crypto digest to c86fa9a
  • 980895f Update golang.org/x/net digest to 83b083e
  • a04cfcc Implement GetCertificate and GetClientCertificate
  • 43968a2 Close connection when handshake timeout occurs
  • b8ebc62 Set e2e/Dockerfile to golang:1.18-bullseye
  • 82c1271 Implement VerifyConnection as is in tls.Config
  • de299f5 Make the Elliptic curves and order configurable
  • 66ec820 Update golang.org/x/net digest to 69896b7
  • 194c03a Update golang.org/x/crypto digest to 0559593
  • 0dd0f95 Update module github.com/pion/transport to v0.13.1
  • 0d729a7 Update golang.org/x/net digest to c960675
  • 4589ddf Update golang.org/x/crypto digest to 793ad66
  • fa5afe3 Update CI configs to v0.7.10
  • 2d27879 Fix KeyUsage on x509 template
  • 74571b5 Fix CertificateVerify for ed25519
  • 89cd8ae Update CI configs to v0.7.9
  • 84b65ad Update CI configs to v0.7.8
  • 10d3c06 Consolidate signaturehash tests
  • 189d384 Enable ED25519 E2E tests
  • ba33f3d Use full image reference

v2.2.0

Compare Source

Changelog

  • 5f48042 Use Go's built-in fuzzing tool instead of go-fuzz
  • b122250 Update CI configs to v0.10.3
  • 6aaf97c Fix fuzzing of recordLayer
  • 3a6f531 Update CI configs to v0.10.1
  • d0f27fe Update module github.com/pion/udp to v0.1.2
  • 205e480 Update CI configs to v0.9.0
  • f40c61d Update hash name check to be case insensitive
  • 3026357 Update module golang.org/x/crypto to v0.4.0
  • 08c3602 Update module golang.org/x/net to v0.4.0
  • 5e7f90f Update CI configs to v0.8.1
  • c21afb8 Ignore lint error on Subjects() deprecation
  • 0b11454 Update module golang.org/x/crypto to v0.3.0
  • 265bf7a Update module golang.org/x/net to v0.2.0
  • f4896b5 Update module github.com/pion/transport to v0.14.1
  • 1209570 Update module github.com/pion/transport to v0.14.0
  • 8eed8ed Update module golang.org/x/crypto to v0.1.0
  • 4ae7e13 Update CI configs to v0.8.0
  • 984d41b Update golang.org/x/net digest to 107f3e3
  • aabc687 Update golang.org/x/crypto digest to eccd636
  • 4f8fa1e Update golang.org/x/crypto digest to c86fa9a
  • 980895f Update golang.org/x/net digest to 83b083e
  • a04cfcc Implement GetCertificate and GetClientCertificate
  • 43968a2 Close connection when handshake timeout occurs
  • b8ebc62 Set e2e/Dockerfile to golang:1.18-bullseye
  • 82c1271 Implement VerifyConnection as is in tls.Config
  • de299f5 Make the Elliptic curves and order configurable
  • 66ec820 Update golang.org/x/net digest to 69896b7
  • 194c03a Update golang.org/x/crypto digest to 0559593
  • 0dd0f95 Update module github.com/pion/transport to v0.13.1
  • 0d729a7 Update golang.org/x/net digest to c960675
  • 4589ddf Update golang.org/x/crypto digest to 793ad66
  • fa5afe3 Update CI configs to v0.7.10
  • 2d27879 Fix KeyUsage on x509 template
  • 74571b5 Fix CertificateVerify for ed25519
  • 89cd8ae Update CI configs to v0.7.9
  • 84b65ad Update CI configs to v0.7.8
  • 10d3c06 Consolidate signaturehash tests
  • 189d384 Enable ED25519 E2E tests
  • ba33f3d Use full image reference

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@codecov
Copy link

codecov bot commented May 10, 2023
edited
Loading

Codecov Report

Patch and project coverage have no change.

Comparison is base (e25856d) 95.94% compared to head (83f3306) 95.94%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #154   +/-   ##
=======================================
  Coverage   95.94%   95.94%           
=======================================
  Files          19       19           
  Lines        1725     1725           
=======================================
  Hits         1655     1655           
  Misses         62       62           
  Partials        8        8
Flag Coverage Δ
go 95.94% <ø> (ø)
wasm 61.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@stv0g stv0g merged commit 57deb99 into master May 10, 2023
@stv0g stv0g deleted the renovate/go-github.com/pion/dtls/v2-vulnerability branch May 10, 2023 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@stv0g