daeuniverse/softwind

[New quic-go version] v0.40.1

Closed this issue 9 months ago · 0 comments

github-actions commented 9 months ago

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

limit the number of queued PATH_RESPONSE frames to 256 (#4199)
don't retransmit PATH_CHALLENGE and PATH_RESPONSE frames (#4200)

Full Changelog: v0.40.0...v0.40.1

https://github.com/quic-go/quic-go/releases/tag/v0.40.1