Skip to content

[Security] Bump quinn-proto from 0.11.6 to 0.11.8

Dependabot requested to merge dependabot-cargo-quinn-proto-0.11.8 into master

Bumps quinn-proto from 0.11.6 to 0.11.8. This update includes a security fix.

Vulnerabilities fixed

Denial of service in quinn-proto when using Endpoint::retry()

Summary

As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations:

  • Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received
    • This issue can go undetected until a server's refuse()/ignore() code path is exercised, such as to stop a denial of service attack.
  • Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received.
    • This issue can go undetected if clients are well-behaved.

The former situation was observed in a real application, while the latter is only theoretical.

Details

Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213

Impact

Denial of service for internet-facing server

Patched versions: 0.11.7 Affected versions: >= 0.11.0, < 0.11.7

Commits
  • 7c09b02 proto: bump version to 0.11.8 for release (#1981)
  • 59bccd2 Version bump quinn to enforce patched quinn-proto
  • a8ec510 proto: avoid panicking on rustls server config errors
  • c26e8cd Bump versions
  • e01609c Merge commit from fork
  • c292a3c Fix and test validation of IDCID length
  • bb02a12 fix(.github/android): use API level 26
  • 5e5cc93 fix(.github/android): pass matrix.target and increase api to v26
  • cef42cc fix(udp): typo in sendmsg error log
  • edf16a6 ci(rust.yml): add workflow testing feature permutations
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports