Source: golang-github-lucas-clemente-quic-go Version: 0.46.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/quic-go/quic-go/pull/4729 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-lucas-clemente-quic-go. CVE-2024-53259[0]: | quic-go is an implementation of the QUIC protocol in Go. An off-path | attacker can inject an ICMP Packet Too Large packet. Since affected | quic-go versions used IP_PMTUDISC_DO, the kernel would then return a | "message too large" error on sendmsg, i.e. when quic-go attempts to | send a packet that exceeds the MTU claimed in that ICMP packet. By | setting this value to smaller than 1200 bytes (the minimum MTU for | QUIC), the attacker can disrupt a QUIC connection. Crucially, this | can be done after completion of the handshake, thereby circumventing | any TCP fallback that might be implemented on the application layer | (for example, many browsers fall back to HTTP over TCP if they're | unable to establish a QUIC connection). The attacker needs to at | least know the client's IP and port tuple to mount an attack. This | vulnerability is fixed in 0.48.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-53259 https://www.cve.org/CVERecord?id=CVE-2024-53259 [1] https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr [2] https://github.com/quic-go/quic-go/pull/4729 [3] https://github.com/quic-go/quic-go/commit/34157e6455b07723d11385212a4e1328f57f1da5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
