quic-go v0.40.1 (CVE-2023-49295) #9287

bt90 · 2023-12-13T11:21:23Z

quic-go fixed a vulnerability in the most recent patch release. I couldn't find any details yet, but it was backported down to v0.37.x which is an indicator for a higher severity.

calmh · 2023-12-13T11:36:32Z

If you find out details and they are horrific, yell and I'll do the needful for a release.

bt90 · 2023-12-13T11:44:27Z

Glimpsing over what has been fixed, this smells like a DoS vulnerability.

* main: (89 commits) build: Update quic-go (fixes syncthing#9287) lib/model: Only handle relevant folder summaries (kqueue) (fixes syncthing#9183) (syncthing#9288) lib/model: Use a single lock (phase two: cleanup) (syncthing#9276) build(deps): bump actions/setup-go from 4 to 5 (syncthing#9279) lib/model: Use a single lock (syncthing#9275) cmd/syncthing: Better cli stdin handling (ref syncthing#9166) (syncthing#9281) cmd/syncthing: Mostly replace urfave/cli command line parser with alecthomas/kong (syncthing#9166) lib/nat: Fix test build failure (ref syncthing#9010) lib/model: Add pmut locking for DeviceStatistics (fixes syncthing#9274) lib/model: Add pmut locking for DeviceStatistics (fixes syncthing#9274) lib/model: Remove spurious "replacing service" failure event (ref syncthing#9271) lib/model: Remove spurious "replacing service" failure event (ref syncthing#9271) lib/nat, lib/upnp: IPv6 UPnP support (syncthing#9010) gui, man, authors: Update docs, translations, and contributors gui: Show folder/device status on small screens (syncthing#8643) lib/model: Remove runner during folder cleanup (fixes syncthing#9269) (syncthing#9271) build: Update dependencies (syncthing#9265) build: Revert specifics for Go 1.21.4, build using Go 1.21.5 (syncthing#9264) lib/fs: Reduce memory usage in xattrs handling (syncthing#9251) lib/model: Improve LastSeen handling (syncthing#9256) ...

* main: Update dependencies (syncthing#9321) gui: Always inform about loading data in Restore Versions modal (syncthing#9317) lib/build: Allow semver build in version regex (fixes syncthing#9267) (syncthing#9316) gui: Keep short deviceID length consistent + xrefs (fixes syncthing#9313) (syncthing#9314) build(deps): bump actions/download-artifact from 3 to 4 (syncthing#9294) build(deps): bump actions/upload-artifact from 3 to 4 (syncthing#9293) gui, man, authors: Update docs, translations, and contributors gui, lib/scanner: Improve scan progress indication (ref syncthing#8331) (syncthing#9308) lib/protocol: handle empty names in unixOwnershipEqual (fixes syncthing#9039) (syncthing#9306) gui, man, authors: Update docs, translations, and contributors etc/linux-desktop: use double dash for long options (syncthing#9301) lib/connections: Skip allocation in check for missing port (syncthing#9297) lib/upgrade: Extract signing key to embedded file (fixes syncthing#9247) (syncthing#9296) gui, man, authors: Update docs, translations, and contributors build: Update quic-go (fixes syncthing#9287) lib/model: Only handle relevant folder summaries (kqueue) (fixes syncthing#9183) (syncthing#9288)

bt90 added enhancement New features or improvements of some kind, as opposed to a problem (bug) needs-triage New issues needed to be validated labels Dec 13, 2023

calmh closed this as completed in 5d0ca19 Dec 13, 2023

calmh added build Issues caused by or requiring changes to the build system (scripts or Docker image) and removed enhancement New features or improvements of some kind, as opposed to a problem (bug) needs-triage New issues needed to be validated labels Dec 13, 2023

calmh added this to the v1.27.2 milestone Dec 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

quic-go v0.40.1 (CVE-2023-49295) #9287

quic-go v0.40.1 (CVE-2023-49295) #9287

bt90 commented Dec 13, 2023

calmh commented Dec 13, 2023

bt90 commented Dec 13, 2023

quic-go v0.40.1 (CVE-2023-49295) #9287

quic-go v0.40.1 (CVE-2023-49295) #9287

Comments

bt90 commented Dec 13, 2023

calmh commented Dec 13, 2023

bt90 commented Dec 13, 2023