Skip to content

fix(deps): update module github.com/pion/dtls/v2 to v2.2.4 [security] #680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update module github.com/pion/dtls/v2 to v2.2.4 [security] #680

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 16, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/pion/dtls/v2 require minor v2.1.3 -> v2.2.4

GitHub Vulnerability Alerts

GHSA-hxp2-xqf3-v83h

Impact

When attempting to unmarshal a Server Hello request we could attempt to unmarshal into a buffer that was too small. This could result in a panic leading the program to crash.

This issue could be abused to cause a denial of service.

Workaround

None

GHSA-4xgv-j62q-h3rj

Impact

During the unmarshalling of a hello verify request we could try to unmarshal into too small a buffer. is could result in a panic leading the program to crash.

This issue could be abused to cause a denial of service.

Workaround

None, upgrade to 2.2.4

CVE-2022-29189

Impact

A buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or times out. An attacker could exploit this to cause excessive memory usage.

Patches

Upgrade to Pion DTLS v2.1.4

Workarounds

No workarounds available, upgrade to Pion DTLS v2.1.4

References

Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.

For more information

If you have any questions or comments about this advisory:

CVE-2022-29190

Impact

An attacker can send packets that will send Pion DTLS into an infinite loop when processing.

Patches

Upgrade to Pion DTLS v2.1.4

Workarounds

No workarounds available, upgrade to Pion DTLS v2.1.4

References

Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.

For more information

If you have any questions or comments about this advisory:

CVE-2022-29222

Impact

A DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it.

This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to v2.1.5

Patches

Upgrade to Pion DTLS v2.1.5

Workarounds

No workarounds available, upgrade to Pion DTLS v2.1.5

References

Thank you to Juho Nurminen and the Mattermost team for discovering and reporting this.

For more information

If you have any questions or comments about this advisory:

Release Notes

pion/dtls

v2.2.4

Compare Source

Security

This release contains 2 patches by @​nerd2 from Motorola Solutions that could lead to panics at runtime. We'd like to thank Sam for finding and responsibly disclosing the vulnerabilities to @​pion/security.

Changelog

  • 9e922d5 Add fuzz tests for handshake
  • a50d26c Fix panic unmarshalling hello verify request
  • 7a14903 Fix OOB read in server hello

v2.2.3

Compare Source

Changelog

  • 8b8bc87 Update module github.com/pion/udp to v0.1.4

v2.2.2

Compare Source

Changelog

  • 0473adf Add SkipHelloVerify option to dTLS
  • 11ea8c2 Update module golang.org/x/crypto to v0.5.0
  • f3c7b2d Update module golang.org/x/net to v0.5.0
  • 3dca8e4 Update github.com/pion/transport to v2
  • 3606b0d Use Go's built-in fuzzing tool instead of go-fuzz
  • b122250 Update CI configs to v0.10.3
  • 6aaf97c Fix fuzzing of recordLayer
  • 3a6f531 Update CI configs to v0.10.1
  • d0f27fe Update module github.com/pion/udp to v0.1.2
  • 205e480 Update CI configs to v0.9.0
  • f40c61d Update hash name check to be case insensitive
  • 3026357 Update module golang.org/x/crypto to v0.4.0
  • 08c3602 Update module golang.org/x/net to v0.4.0
  • 5e7f90f Update CI configs to v0.8.1
  • c21afb8 Ignore lint error on Subjects() deprecation
  • 0b11454 Update module golang.org/x/crypto to v0.3.0
  • 265bf7a Update module golang.org/x/net to v0.2.0
  • f4896b5 Update module github.com/pion/transport to v0.14.1
  • 1209570 Update module github.com/pion/transport to v0.14.0
  • 8eed8ed Update module golang.org/x/crypto to v0.1.0
  • 4ae7e13 Update CI configs to v0.8.0
  • 984d41b Update golang.org/x/net digest to 107f3e3
  • aabc687 Update golang.org/x/crypto digest to eccd636
  • 4f8fa1e Update golang.org/x/crypto digest to c86fa9a
  • 980895f Update golang.org/x/net digest to 83b083e
  • a04cfcc Implement GetCertificate and GetClientCertificate
  • 43968a2 Close connection when handshake timeout occurs
  • b8ebc62 Set e2e/Dockerfile to golang:1.18-bullseye
  • 82c1271 Implement VerifyConnection as is in tls.Config
  • de299f5 Make the Elliptic curves and order configurable
  • 66ec820 Update golang.org/x/net digest to 69896b7
  • 194c03a Update golang.org/x/crypto digest to 0559593
  • 0dd0f95 Update module github.com/pion/transport to v0.13.1
  • 0d729a7 Update golang.org/x/net digest to c960675
  • 4589ddf Update golang.org/x/crypto digest to 793ad66
  • fa5afe3 Update CI configs to v0.7.10
  • 2d27879 Fix KeyUsage on x509 template
  • 74571b5 Fix CertificateVerify for ed25519
  • 89cd8ae Update CI configs to v0.7.9
  • 84b65ad Update CI configs to v0.7.8
  • 10d3c06 Consolidate signaturehash tests
  • 189d384 Enable ED25519 E2E tests
  • ba33f3d Use full image reference

v2.2.1

Compare Source

Changelog

  • 0473adf Add SkipHelloVerify option to dTLS
  • 11ea8c2 Update module golang.org/x/crypto to v0.5.0
  • f3c7b2d Update module golang.org/x/net to v0.5.0
  • 3dca8e4 Update github.com/pion/transport to v2
  • 3606b0d Use Go's built-in fuzzing tool instead of go-fuzz
  • b122250 Update CI configs to v0.10.3
  • 6aaf97c Fix fuzzing of recordLayer
  • 3a6f531 Update CI configs to v0.10.1
  • d0f27fe Update module github.com/pion/udp to v0.1.2
  • 205e480 Update CI configs to v0.9.0
  • f40c61d Update hash name check to be case insensitive
  • 3026357 Update module golang.org/x/crypto to v0.4.0
  • 08c3602 Update module golang.org/x/net to v0.4.0
  • 5e7f90f Update CI configs to v0.8.1
  • c21afb8 Ignore lint error on Subjects() deprecation
  • 0b11454 Update module golang.org/x/crypto to v0.3.0
  • 265bf7a Update module golang.org/x/net to v0.2.0
  • f4896b5 Update module github.com/pion/transport to v0.14.1
  • 1209570 Update module github.com/pion/transport to v0.14.0
  • 8eed8ed Update module golang.org/x/crypto to v0.1.0
  • 4ae7e13 Update CI configs to v0.8.0
  • 984d41b Update golang.org/x/net digest to 107f3e3
  • aabc687 Update golang.org/x/crypto digest to eccd636
  • 4f8fa1e Update golang.org/x/crypto digest to c86fa9a
  • 980895f Update golang.org/x/net digest to 83b083e
  • a04cfcc Implement GetCertificate and GetClientCertificate
  • 43968a2 Close connection when handshake timeout occurs
  • b8ebc62 Set e2e/Dockerfile to golang:1.18-bullseye
  • 82c1271 Implement VerifyConnection as is in tls.Config
  • de299f5 Make the Elliptic curves and order configurable
  • 66ec820 Update golang.org/x/net digest to 69896b7
  • 194c03a Update golang.org/x/crypto digest to 0559593
  • 0dd0f95 Update module github.com/pion/transport to v0.13.1
  • 0d729a7 Update golang.org/x/net digest to c960675
  • 4589ddf Update golang.org/x/crypto digest to 793ad66
  • fa5afe3 Update CI configs to v0.7.10
  • 2d27879 Fix KeyUsage on x509 template
  • 74571b5 Fix CertificateVerify for ed25519
  • 89cd8ae Update CI configs to v0.7.9
  • 84b65ad Update CI configs to v0.7.8
  • 10d3c06 Consolidate signaturehash tests
  • 189d384 Enable ED25519 E2E tests
  • ba33f3d Use full image reference

v2.2.0

Compare Source

Changelog

  • 5f48042 Use Go's built-in fuzzing tool instead of go-fuzz
  • b122250 Update CI configs to v0.10.3
  • 6aaf97c Fix fuzzing of recordLayer
  • 3a6f531 Update CI configs to v0.10.1
  • d0f27fe Update module github.com/pion/udp to v0.1.2
  • 205e480 Update CI configs to v0.9.0
  • f40c61d Update hash name check to be case insensitive
  • 3026357 Update module golang.org/x/crypto to v0.4.0
  • 08c3602 Update module golang.org/x/net to v0.4.0
  • 5e7f90f Update CI configs to v0.8.1
  • c21afb8 Ignore lint error on Subjects() deprecation
  • 0b11454 Update module golang.org/x/crypto to v0.3.0
  • 265bf7a Update module golang.org/x/net to v0.2.0
  • f4896b5 Update module github.com/pion/transport to v0.14.1
  • 1209570 Update module github.com/pion/transport to v0.14.0
  • 8eed8ed Update module golang.org/x/crypto to v0.1.0
  • 4ae7e13 Update CI configs to v0.8.0
  • 984d41b Update golang.org/x/net digest to 107f3e3
  • aabc687 Update golang.org/x/crypto digest to eccd636
  • 4f8fa1e Update golang.org/x/crypto digest to c86fa9a
  • 980895f Update golang.org/x/net digest to 83b083e
  • a04cfcc Implement GetCertificate and GetClientCertificate
  • 43968a2 Close connection when handshake timeout occurs
  • b8ebc62 Set e2e/Dockerfile to golang:1.18-bullseye
  • 82c1271 Implement VerifyConnection as is in tls.Config
  • de299f5 Make the Elliptic curves and order configurable
  • 66ec820 Update golang.org/x/net digest to 69896b7
  • 194c03a Update golang.org/x/crypto digest to 0559593
  • 0dd0f95 Update module github.com/pion/transport to v0.13.1
  • 0d729a7 Update golang.org/x/net digest to c960675
  • 4589ddf Update golang.org/x/crypto digest to 793ad66
  • fa5afe3 Update CI configs to v0.7.10
  • 2d27879 Fix KeyUsage on x509 template
  • 74571b5 Fix CertificateVerify for ed25519
  • 89cd8ae Update CI configs to v0.7.9
  • 84b65ad Update CI configs to v0.7.8
  • 10d3c06 Consolidate signaturehash tests
  • 189d384 Enable ED25519 E2E tests
  • ba33f3d Use full image reference

v2.1.5

Compare Source

This release includes fixes for a security issue reported by the Mattermost security team. We'd like to thank them for the responsible disclosure and urge any consumers of the DTLS package to update.

v2.1.4

Compare Source

This release includes fixes for two security issues reported by the Mattermost security team. We'd like to thank them for the responsible disclosure and urge any consumers of the DTLS package to update.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant