fix(deps): update module github.com/quic-go/quic-go to v0.48.2 [security] #36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.41.0
->v0.48.2
GitHub Vulnerability Alerts
CVE-2024-22189
An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.
I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/.
I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683
There's no way to mitigate this attack, please update quic-go to a version that contains the fix.
CVE-2024-53259
Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used
IP_PMTUDISC_DO
, the kernel would then return a "message too large" error onsendmsg
, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).
As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).
Patches
The fix is easy: Use
IP_PMTUDISC_PROBE
instead ofIP_PMTUDISC_DO
. This socket option only sets the DF bit, but disables the kernel's MTU tracking.Has the problem been patched? What versions should users upgrade to?
Fixed in https://github.com/quic-go/quic-go/pull/4729
Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Use iptables to drop ICMP Unreachable packets.
References
Are there any links users can visit to find out more?
This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/
Release Notes
quic-go/quic-go (github.com/quic-go/quic-go)
v0.48.2
Compare Source
This patch release contains fixes for three bugs, including a patch for CVE-2024-53259 (details).
Changelog
Full Changelog: quic-go/quic-go@v0.48.1...v0.48.2
v0.48.1
Compare Source
This patch releases fixes a panic in the shutdown logic of the
http3.Server
that was introduced in v0.48.0. Thanks to @WeidiDeng for the fix!Changelog
Full Changelog: quic-go/quic-go@v0.48.0...v0.48.1
v0.48.0
Compare Source
New Features
The
http3.Server
now supports graceful shutdown: callingShutdown
stops the server from accepting new connections, and new HTTP requests on existing connections. It continues serving existing connections until all active requests have completed (or the context is canceled).On the wire, graceful shutdown is signaled by sending a GOAWAY frame. This tells the client that the server will not accept any new requests. Clients are expected to finish existing requests and then close the QUIC connection.
Client-side support for graceful shutdown is not implemented yet (see #153).
Breaking Changes
qlog.DefaultTracer
function was removed: #4697http3.Server.SetQuicHeader
method andhttp3.ListenAndServe
were removed: #4698http3.Server.Close
now closes immediately all QUIC connections: #4689Note that all connection passed to
http3.Server.ServeQUICConn
need to be closed by the caller, before callinghttp3.Server.Close
.Notable Fixes
Stream.Write
andStream.Read
(thanks to @sukunrt for the fix): #4673Read
call: #4683Behind The Scenes
We've started migrating our test suite away from Ginkgo (tracking issue: #3652), and towards a more idiomatic approach to testing Go code (using require). This is a massive endevour, as our test suite is around 47k LOC.
In this release, a large number of Go packages were translated: #4640, #4641, #4642, #4643, #4649, #4650, #4652, #4662, #4670, #4671, #4675, #4667, #4676, #4680, #4681.
In the upcoming release(s), we will continue this work.
Changelog
Full Changelog: quic-go/quic-go@v0.47.0...v0.48.0
v0.47.0
Compare Source
New Features
This release adds support for HTTP/3 Trailers, for both the server and the client side (#4581, #4630, #4656, #4639). Trailers work exactly the same way as for HTTP/1.1 and HTTP/2.
A big thank you to @sudorandom for contributing this feature!
Fixes
max_idle_timeout
of 0 (or omits the transport parameter): #4666N
bit is set to 1: https://github.com/quic-go/qpack/pull/52http.Response.ContentLength
on responses that don't set theContent-Length
header: #4645Connection
,Keep-Alive
,Proxy-Connection
,Transfer-Encoding
,Upgrade
andTE != "trailers"
): #4646, #4655Breaking Changes
quic.VersionNumber
andlogging.VersionNumber
were removed: #4627Heads-Up
@sukunrt recently discovered and reported a race condition in the new
time.Timer
stopping logic introduced in Go 1.23. This manifests as a connection deadlock in quic-go. See #4659 and https://github.com/golang/go/issues/69312 for more details. The new behavior is enabled when compiling with Go 1.23.x, and when the Go version ingo.mod
is set to Go 1.23.x.Until this issue is fixed, it is recommended to either use Go 1.22.x, or to use
GODEBUG="asynctimerchan=1"
when compiling quic-go.Update (Oct 1st 2024)
The Go project backported the fix (https://github.com/golang/go/issues/69333) to the 1.23 branch, and released it in Go 1.23.2. This resolves above-mentioned issue. quic-go can now be built with Go 1.23.2, without the need to set any GODEBUG flags.
Changelog
New Contributors
Full Changelog: quic-go/quic-go@v0.46.0...v0.47.0
v0.46.0
Compare Source
New Features
http3.Server
now has anIdleTimeout
field: #4587. It works analogous to its HTTP/2 standard library equivalent: If no requests are received for the idle timeout period, the underlying QUIC connection is closed. Thanks to @rs for implementing..sqlog
.Breaking Changes
logging.VersionNumber
was renamed tologging.Version
(#4621), mirroring a similar renaming ofquic.VersionNumber
toquic.Version
introduced in an earlier releaseinternal_error
TLS alerts are now sent as QUIC CRYPTO_ERRORs (and not INTERNAL_ERRORs): #4601Other Notable Changes
The stream logic for queueing stream-related control frames (RESET_STREAM, STOP_SENDING, MAX_STREAM_DATA, STREAM_DATA_BLOCKED) was completely rewritten. This makes quic-go more resilient to memory exhaustion attacks similar to those that we've seen earlier this year (1 and 2). It also enables further frame packing optimizations in the future.
Changelog
Full Changelog: quic-go/quic-go@v0.45.0...v0.46.0
v0.45.2
Compare Source
This patch release fixes a bug in the stream state machine, which could lead to streams not being properly marked completed: #4605.
Thanks to @sukunrt for discovering and fixing this bug.
v0.45.1
Compare Source
This patch release contains two fixes:
Full Changelog: quic-go/quic-go@v0.45.0...v0.45.1
v0.45.0
Compare Source
New Features
Prometheus
quic-go now exports a few Prometheus metrics, allowing users to get an aggregate picture of what's going on inside their QUIC stack. Currently, only a basic set of metrics is exposed, but we plan to track more metrics in the future (#4554). Head to the documentation to learn how to enable metrics collection.
Prometheus metrics can be used (among others) to build Grafana dashboards, and we provide a sample Grafana dashboard in metrics/dashboard.
Tracing Handshake Progression using a custom
context.Context
Users can now set and modify the context that's used on all callbacks called during the handshake, and returned from
Connection.Context
(#4507 and #4536). This allows identifying the connection as it progresses through the different handshake stages. The documentation has more details and code samples.Better Path MTU Discovery
Path MTU Discovery is used to automatically determine the available MTU of the path, which allows us to send full-size packets. This is especially relevant for high-bandwidth transfers.
Our old PMTUD algorithm was susceptible to packet loss, leading to suboptimal results if an MTU probe packet experienced packet loss in the network. The new algorithm (#4545) is now resilient to the consecutive loss of up to two probe packets.
Breaking Changes
Connection.NextConnection
now takes a context and correctly handles handshake failures (#4551)DefaultTracer
was renamed toDefaultConnectionTracer
(#4556)ConnectionTracingKey
is now deprecated. UseTransport.ConnContext
to set your own tracing key (#4532)Fixes
tls.Config
that setsGetConfigForClient
: (#4550)Changelog
Full Changelog: quic-go/quic-go@v0.44.0...v0.45.0
v0.44.0
Compare Source
v0.44 contains a lot of fixes related to HTTP Datagrams, new logic to determine (and configure) the QUIC packet size, as well as a significant speedup of the various parsers.
HTTP Datagram-related Fixes
The last release introduced support for HTTP Datagrams (RFC 9297). This release resolves a number of problems we discovered in the initial implementation:
QUIC Packet Size and Path MTU Discovery
quic.Config
. Most users should not use this config option, but instead rely on Path MTU discovery (https://github.com/quic-go/quic-go/pull/4503)max_udp_payload_size
transport parameter (https://github.com/quic-go/quic-go/pull/4514)mtu_updated
event (https://github.com/quic-go/quic-go/pull/4517)Speeding up Parsing the variable-length Integers
The QUIC varint parser was rewritten to act on byte slices instead of a
bytes.Reader
. This is significantly faster (https://github.com/quic-go/quic-go/pull/4475). The new parser is now used for parsing QUIC frames (https://github.com/quic-go/quic-go/pull/4484), the QUIC packet header (https://github.com/quic-go/quic-go/pull/4481), the QUIC transport parameters (https://github.com/quic-go/quic-go/pull/4483) and HTTP datagrams (https://github.com/quic-go/quic-go/pull/4478).Other Notable Changes
ParseCapsule
now returns anio.EOF
(and not anio.UnexpectedEOF
) if the underlying reader returns anio.EOF
on the first byte (https://github.com/quic-go/quic-go/pull/4476)ListenAndServe
was renamed toListenAndServeTLS
(https://github.com/quic-go/quic-go/pull/4522). Thanks to @ETZhangSX!Connection
to theConnContext
callback (https://github.com/quic-go/quic-go/pull/4480). Thanks to @rthellend!quic-go needs your support!
Is your project / company relying on quic-go?
Please consider funding the project. Any support is highly appreciated!
What's Changed
New Contributors
Full Changelog: quic-go/quic-go@v0.43.0...v0.44.0
v0.43.1
Compare Source
This is a patch release that fixes a regression when calling
http3.Server.ConnContext
introduced in v0.43.0.Changelog
Full Changelog: quic-go/quic-go@v0.43.0...v0.43.1
v0.43.0
Compare Source
quic-go.net: Launching a new Documentation Site
With this release, we're launching a new documentation site for the quic-go projects (quic-go itself, HTTP/3, webtransport-go, and soon, masque-go): quic-go.net.
The documentation site aims to explain QUIC concepts and how they are made accessible using quic-go's API. This site replaces the wiki, and the ever-growing README files.
A lot of work has gone into the documentation already, but we're by no means done yet. The entire source is public in https://github.com/quic-go/docs/, and we're happy about community contributions.
HTTP Datagrams (RFC 9297)
This release adds support for HTTP Datagrams (RFC 9297), both on the client and on the server side (#4452). HTTP Datagrams are used in WebTransport in CONNECT-UDP (RFC 9298), among others.
The new API for HTTP Datagrams is described on the new documentation page: HTTP Datagrams. The integration of HTTP Datagram support necessitated a comprehensive refactor of the HTTP/3 package, resulting in several breaking API changes listed below.
Breaking Changes
int
instead the internalprotocol.ByteCount
(#4365)Server.SetQuicHeaders
was renamed toSetQUICHeaders
(#4377)Server.QuicConfig
was renamed toQUICConfig
(#4384)RoundTripper.QuicConfig
was renamed toQUICConfig
(#4385)RoundTripOpt.CheckSettings
was removed (#4416). Use the newSingleDestinationRoundTripper
API instead.HTTPStreamer
interface is now implemented by thehttp.ResponseWriter
(and not thehttp.Request.Body
) (#4469)DatagramTooLargeError
(#4470)Other Notable Changes
slog.Logger
(#4449)RoundTrip
errors due to a cancelled context (#4448). Thanks to @GeorgeMac!Context
exposed on thequic.Stream
is now derived from the connection's context (#4414)Clarifications on the QUIC Stream State Machine
Calling CancelWrite after Close
After a long and fruitful discussion (#4404), we decided to clarify that calling
CancelWrite
afterClose
on aSendStream
(or a bidirectional stream) should cause a state transition from the "Data Sent" to the "Reset Sent" state, as described in section 3.1 of RFC 9000. This matches the current behavior of quic-go, however, it didn't match the API documentation (fixed in [