2021-11-01 19:31:00 +00:00
|
|
|
Release notes
|
|
|
|
|
=============
|
|
|
|
|
|
|
|
|
|
[comment]: <> (towncrier release notes start)
|
2021-11-01 19:31:01 +00:00
|
|
|
|
|
|
|
|
Barrier `2.3.4` ( `2021-11-01` )
|
|
|
|
|
================================
|
|
|
|
|
|
|
|
|
|
Security fixes
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
- Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075).
|
|
|
|
|
|
|
|
|
|
Previously repeated failing connections would leak file descriptors leading to Barrier being unable
|
|
|
|
|
to receive new connections from clients.
|
|
|
|
|
|
|
|
|
|
- Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076).
|
|
|
|
|
|
|
|
|
|
Previously it was possible for a malicious client or server to send excessive length messages
|
|
|
|
|
leading to denial of service by resource exhaustion.
|
|
|
|
|
|
|
|
|
|
- Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message.
|
|
|
|
|
This bug allowed an unauthenticated attacker to crash Barrier with only network access.
|
|
|
|
|
|
|
|
|
|
All of the above security issues have been reported by Matthias Gerstner who was really helpful
|
|
|
|
|
resolving them.
|
|
|
|
|
|
|
|
|
|
Bug fixes
|
|
|
|
|
---------
|
|
|
|
|
|
|
|
|
|
- Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients
|
|
|
|
|
under heavy load.
|
