Skip to content
This repository was archived by the owner on Aug 15, 2025. It is now read-only.

fix(deps): update module github.com/quic-go/quic-go to v0.48.2 [security] #36

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/quic-go/quic-go to v0.48.2 [security] #36

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/quic-go/quic-go v0.41.0 -> v0.48.2 age confidence

GitHub Vulnerability Alerts

CVE-2024-22189

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/.
I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

CVE-2024-53259

Impact

An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.

By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).

As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).

Patches

The fix is easy: Use IP_PMTUDISC_PROBE instead of IP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking.

Has the problem been patched? What versions should users upgrade to?

Fixed in https://github.com/quic-go/quic-go/pull/4729
Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Use iptables to drop ICMP Unreachable packets.

References

Are there any links users can visit to find out more?

This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.48.2

Compare Source

This patch release contains fixes for three bugs, including a patch for CVE-2024-53259 (details).

Changelog

Full Changelog: quic-go/quic-go@v0.48.1...v0.48.2

v0.48.1

Compare Source

This patch releases fixes a panic in the shutdown logic of the http3.Server that was introduced in v0.48.0. Thanks to @​WeidiDeng for the fix!

Changelog

Full Changelog: quic-go/quic-go@v0.48.0...v0.48.1

v0.48.0

Compare Source

New Features

The http3.Server now supports graceful shutdown: calling Shutdown stops the server from accepting new connections, and new HTTP requests on existing connections. It continues serving existing connections until all active requests have completed (or the context is canceled).

On the wire, graceful shutdown is signaled by sending a GOAWAY frame. This tells the client that the server will not accept any new requests. Clients are expected to finish existing requests and then close the QUIC connection.

Client-side support for graceful shutdown is not implemented yet (see #​153).

Breaking Changes

  • The HTTP/3 client API was made more consistent with the Go standard library's HTTP/1 and HTTP/2 naming: #​4693
  • The deprecated qlog.DefaultTracer function was removed: #​4697
  • The deprecated http3.Server.SetQuicHeader method and http3.ListenAndServe were removed: #​4698
  • http3.Server.Close now closes immediately all QUIC connections: #​4689

Note that all connection passed to http3.Server.ServeQUICConn need to be closed by the caller, before calling http3.Server.Close.

Notable Fixes

  • Canceling a stream after connection termination now doesn't change the error returned from Stream.Write and Stream.Read (thanks to @​sukunrt for the fix): #​4673
  • HTTP/3 Capsule Parsing logic didn't work for capsules that weren't read with a single Read call: #​4683

Behind The Scenes

We've started migrating our test suite away from Ginkgo (tracking issue: #​3652), and towards a more idiomatic approach to testing Go code (using require). This is a massive endeavour, as our test suite is around 41k LOC.

In this release, a large number of Go packages were translated: #​4640, #​4641, #​4642, #​4643, #​4649, #​4650, #​4652, #​4662, #​4670, #​4671, #​4675, #​4667, #​4676, #​4680, #​4681.

In the upcoming release(s), we will continue this work.

Changelog

Full Changelog: quic-go/quic-go@v0.47.0...v0.48.0

v0.47.0

Compare Source

New Features

This release adds support for HTTP/3 Trailers, for both the server and the client side (#​4581, #​4630, #​4656, #​4639). Trailers work exactly the same way as for HTTP/1.1 and HTTP/2.

A big thank you to @​sudorandom for contributing this feature!

Fixes

  • idle timeout calculation when the peer sends a max_idle_timeout of 0 (or omits the transport parameter): #​4666
  • fix handling of corrupted coalesced 1-RTT packets: #​4663
  • qpack: don't reject literal field lines with name references if N bit is set to 1: https://github.com/quic-go/qpack/pull/52
  • http3: correctly set the http.Response.ContentLength on responses that don't set the Content-Length header: #​4645
  • http3: reject connection-specific header fields (Connection, Keep-Alive, Proxy-Connection, Transfer-Encoding, Upgrade and TE != "trailers"): #​4646, #​4655

Breaking Changes

  • quic.VersionNumber and logging.VersionNumber were removed: #​4627

Heads-Up

@​sukunrt recently discovered and reported a race condition in the new time.Timer stopping logic introduced in Go 1.23. This manifests as a connection deadlock in quic-go. See #​4659 and https://github.com/golang/go/issues/69312 for more details. The new behavior is enabled when compiling with Go 1.23.x, and when the Go version in go.mod is set to Go 1.23.x.

Until this issue is fixed, it is recommended to either use Go 1.22.x, or to use GODEBUG="asynctimerchan=1" when compiling quic-go.

Update (Oct 1st 2024)

The Go project backported the fix (https://github.com/golang/go/issues/69333) to the 1.23 branch, and released it in Go 1.23.2. This resolves above-mentioned issue. quic-go can now be built with Go 1.23.2, without the need to set any GODEBUG flags.

Changelog

New Contributors

Full Changelog: quic-go/quic-go@v0.46.0...v0.47.0

v0.46.0

Compare Source

New Features

  • The http3.Server now has an IdleTimeout field: #​4587. It works analogous to its HTTP/2 standard library equivalent: If no requests are received for the idle timeout period, the underlying QUIC connection is closed. Thanks to @​rs for implementing.
  • The qlog file format was updated to the current qlog draft, which now uses JSON sequences (JSON-SEQ): #​4609. qlog files now have the file extension .sqlog.

Breaking Changes

  • logging.VersionNumber was renamed to logging.Version (#​4621), mirroring a similar renaming of quic.VersionNumber to quic.Version introduced in an earlier release
  • internal_error TLS alerts are now sent as QUIC CRYPTO_ERRORs (and not INTERNAL_ERRORs): #​4601

Other Notable Changes

The stream logic for queueing stream-related control frames (RESET_STREAM, STOP_SENDING, MAX_STREAM_DATA, STREAM_DATA_BLOCKED) was completely rewritten. This makes quic-go more resilient to memory exhaustion attacks similar to those that we've seen earlier this year (1 and 2). It also enables further frame packing optimizations in the future.

Changelog

Full Changelog: quic-go/quic-go@v0.45.0...v0.46.0

v0.45.2

Compare Source

This patch release fixes a bug in the stream state machine, which could lead to streams not being properly marked completed: #​4605.

Thanks to @​sukunrt for discovering and fixing this bug.

v0.45.1

Compare Source

This patch release contains two fixes:

  • The new Prometheus metrics DefaultConnectionTracer was implemented incorrectly, leading to incorrect metrics being collected: #​4560
  • The http3.RoundTripper was caching the dial error (#​4561). Instead, we should re-dial the QUIC connection: #​4573

Full Changelog: quic-go/quic-go@v0.45.0...v0.45.1

v0.45.0

Compare Source

New Features

Prometheus

quic-go now exports a few Prometheus metrics, allowing users to get an aggregate picture of what's going on inside their QUIC stack. Currently, only a basic set of metrics is exposed, but we plan to track more metrics in the future (#​4554). Head to the documentation to learn how to enable metrics collection.

Prometheus metrics can be used (among others) to build Grafana dashboards, and we provide a sample Grafana dashboard in metrics/dashboard.

Tracing Handshake Progression using a custom context.Context

Users can now set and modify the context that's used on all callbacks called during the handshake, and returned from Connection.Context (#​4507 and #​4536). This allows identifying the connection as it progresses through the different handshake stages. The documentation has more details and code samples.

Better Path MTU Discovery

Path MTU Discovery is used to automatically determine the available MTU of the path, which allows us to send full-size packets. This is especially relevant for high-bandwidth transfers.

Our old PMTUD algorithm was susceptible to packet loss, leading to suboptimal results if an MTU probe packet experienced packet loss in the network. The new algorithm (#​4545) is now resilient to the consecutive loss of up to two probe packets.

Breaking Changes

  • Connection.NextConnection now takes a context and correctly handles handshake failures (#​4551)
  • qlog: DefaultTracer was renamed to DefaultConnectionTracer (#​4556)
  • The ConnectionTracingKey is now deprecated. Use Transport.ConnContext to set your own tracing key (#​4532)

Fixes

  • The server now correctly restores its QUIC transport parameters when resuming 0-RTT using a tls.Config that sets GetConfigForClient: (#​4550)

Changelog

Full Changelog: quic-go/quic-go@v0.44.0...v0.45.0

v0.44.0

Compare Source

v0.44 contains a lot of fixes related to HTTP Datagrams, new logic to determine (and configure) the QUIC packet size, as well as a significant speedup of the various parsers.

HTTP Datagram-related Fixes

The last release introduced support for HTTP Datagrams (RFC 9297). This release resolves a number of problems we discovered in the initial implementation:

QUIC Packet Size and Path MTU Discovery

Speeding up Parsing the variable-length Integers

The QUIC varint parser was rewritten to act on byte slices instead of a bytes.Reader. This is significantly faster (https://github.com/quic-go/quic-go/pull/4475). The new parser is now used for parsing QUIC frames (https://github.com/quic-go/quic-go/pull/4484), the QUIC packet header (https://github.com/quic-go/quic-go/pull/4481), the QUIC transport parameters (https://github.com/quic-go/quic-go/pull/4483) and HTTP datagrams (https://github.com/quic-go/quic-go/pull/4478).

Other Notable Changes

quic-go needs your support!

Is your project / company relying on quic-go?
Please consider funding the project. Any support is highly appreciated!

What's Changed

New Contributors

Full Changelog: quic-go/quic-go@v0.43.0...v0.44.0

v0.43.1

Compare Source

This is a patch release that fixes a regression when calling http3.Server.ConnContext introduced in v0.43.0.

Changelog

Full Changelog: quic-go/quic-go@v0.43.0...v0.43.1

v0.43.0

Compare Source

quic-go.net: Launching a new Documentation Site

With this release, we're launching a new documentation site for the quic-go projects (quic-go itself, HTTP/3, webtransport-go, and soon, masque-go): quic-go.net.

The documentation site aims to explain QUIC concepts and how they are made accessible using quic-go's API. This site replaces the wiki, and the ever-growing README files.

A lot of work has gone into the documentation already, but we're by no means done yet. The entire source is public in https://github.com/quic-go/docs/, and we're happy about community contributions.

HTTP Datagrams (RFC 9297)

This release adds support for HTTP Datagrams (RFC 9297), both on the client and on the server side (#​4452). HTTP Datagrams are used in WebTransport in CONNECT-UDP (RFC 9298), among others.

The new API for HTTP Datagrams is described on the new documentation page: HTTP Datagrams. The integration of HTTP Datagram support necessitated a comprehensive refactor of the HTTP/3 package, resulting in several breaking API changes listed below.

Breaking Changes

  • quicvarint: functions now return an int instead the internal protocol.ByteCount (#​4365)
  • http3: Server.SetQuicHeaders was renamed to SetQUICHeaders (#​4377)
  • http3: Server.QuicConfig was renamed to QUICConfig (#​4384)
  • http3: RoundTripper.QuicConfig was renamed to QUICConfig (#​4385)
  • http3: RoundTripOpt.CheckSettings was removed (#​4416). Use the newSingleDestinationRoundTripper API instead.
  • http3: the HTTPStreamer interface is now implemented by the http.ResponseWriter (and not the http.Request.Body) (#​4469)
  • include the maximum payload size in the DatagramTooLargeError (#​4470)

Other Notable Changes

  • GSO and ECN is disabled on kernel versions older than 5 (#​4456)
  • http3: logging can be controlled using an slog.Logger (#​4449)
  • http3: HEAD requests can now be sent in 0-RTT (#​4378)
  • http3: duplicate QPACK encoder and decoder streams are not rejected as required by the RFC (#​4388)
  • http3: Extended CONNECT are blocked until the server's SETTINGS are received, as required by the RFC (#​4450)
  • http3: HTTP/3 client connections aren't removed if RoundTrip errors due to a cancelled context ([#​4448](https://redirect.github.com/quic-

@renovate renovate bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch from e7bd8aa to 32e0e2e Compare December 2, 2024 20:16
@renovate renovate bot changed the title fix(deps): update module github.com/quic-go/quic-go to v0.42.0 [security] fix(deps): update module github.com/quic-go/quic-go to v0.48.2 [security] Dec 2, 2024
@renovate
Copy link
Author

renovate bot commented Dec 2, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 10 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.19.0 -> v0.26.0
golang.org/x/sys v0.17.0 -> v0.23.0
google.golang.org/protobuf v1.32.0 -> v1.33.0
github.com/quic-go/qpack v0.4.0 -> v0.5.1
golang.org/x/exp v0.0.0-20240205201215-2c58cdc269a3 -> v0.0.0-20240506185415-9bf2ced13842
golang.org/x/mod v0.15.0 -> v0.17.0
golang.org/x/net v0.20.0 -> v0.28.0
golang.org/x/sync v0.6.0 -> v0.8.0
golang.org/x/text v0.14.0 -> v0.17.0
golang.org/x/tools v0.17.0 -> v0.21.1-0.20240508182429-e35e4ccd0d2d

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant