Update module github.com/quic-go/quic-go to v0.48.2 [SECURITY] #197
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
deleted the
renovate/go-github.com-quic-go-quic-go-vulnerability
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.47.0->v0.48.2GitHub Vulnerability Alerts
CVE-2024-53259
Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used
IP_PMTUDISC_DO, the kernel would then return a "message too large" error onsendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).
As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).
Patches
The fix is easy: Use
IP_PMTUDISC_PROBEinstead ofIP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking.Has the problem been patched? What versions should users upgrade to?
Fixed in https://github.com/quic-go/quic-go/pull/4729
Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Use iptables to drop ICMP Unreachable packets.
References
Are there any links users can visit to find out more?
This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
CVE-2024-53259 / GHSA-px8v-pp82-rcvr / GO-2024-3302
More information
Details
Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used
IP_PMTUDISC_DO, the kernel would then return a "message too large" error onsendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).
As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).
Patches
The fix is easy: Use
IP_PMTUDISC_PROBEinstead ofIP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking.Has the problem been patched? What versions should users upgrade to?
Fixed in https://github.com/quic-go/quic-go/pull/4729
Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Use iptables to drop ICMP Unreachable packets.
References
Are there any links users can visit to find out more?
This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/
Severity
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go
CVE-2024-53259 / GHSA-px8v-pp82-rcvr / GO-2024-3302
More information
Details
ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
quic-go/quic-go (github.com/quic-go/quic-go)
v0.48.2Compare Source
This patch release contains fixes for three bugs, including a patch for CVE-2024-53259 (details).
Changelog
Full Changelog: quic-go/quic-go@v0.48.1...v0.48.2
v0.48.1Compare Source
This patch releases fixes a panic in the shutdown logic of the
http3.Serverthat was introduced in v0.48.0. Thanks to @WeidiDeng for the fix!Changelog
Full Changelog: quic-go/quic-go@v0.48.0...v0.48.1
v0.48.0Compare Source
New Features
The
http3.Servernow supports graceful shutdown: callingShutdownstops the server from accepting new connections, and new HTTP requests on existing connections. It continues serving existing connections until all active requests have completed (or the context is canceled).On the wire, graceful shutdown is signaled by sending a GOAWAY frame. This tells the client that the server will not accept any new requests. Clients are expected to finish existing requests and then close the QUIC connection.
Client-side support for graceful shutdown is not implemented yet (see #153).
Breaking Changes
qlog.DefaultTracerfunction was removed: #4697http3.Server.SetQuicHeadermethod andhttp3.ListenAndServewere removed: #4698http3.Server.Closenow closes immediately all QUIC connections: #4689Note that all connection passed to
http3.Server.ServeQUICConnneed to be closed by the caller, before callinghttp3.Server.Close.Notable Fixes
Stream.WriteandStream.Read(thanks to @sukunrt for the fix): #4673Readcall: #4683Behind The Scenes
We've started migrating our test suite away from Ginkgo (tracking issue: #3652), and towards a more idiomatic approach to testing Go code (using require). This is a massive endevour, as our test suite is around 47k LOC.
In this release, a large number of Go packages were translated: #4640, #4641, #4642, #4643, #4649, #4650, #4652, #4662, #4670, #4671, #4675, #4667, #4676, #4680, #4681.
In the upcoming release(s), we will continue this work.
Changelog
Full Changelog: quic-go/quic-go@v0.47.0...v0.48.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.