rayelliott
/
barrier
mirror of https://github.com/debauchee/barrier.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Release notes for v2.3.4

This commit is contained in:
Povilas Kanapickas 2021-11-01 21:31:01 +02:00
parent 8883cfae0f
commit ad1a2c0bd6
5 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/newsfragments/close-failed-handshake-connections.bugfix
View File

@ -1,6 +0,0 @@
SECURITY ISSUE
Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075).
Previously repeated failing connections would leak file descriptors leading to Barrier being unable
to receive new connections from clients.

6
doc/newsfragments/enforce-maximum-message-length.bugfix
View File

@ -1,6 +0,0 @@
SECURITY ISSUE
Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076).
Previously it was possible for a malicious client or server to send excessive length messages
leading to denial of service by resource exhaustion.

4
doc/newsfragments/fix-crash-on-ssl-hello.bugfix
View File

@ -1,4 +0,0 @@
SECURITY ISSUE
Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message.
This bug allowed an unauthenticated attacker to crash Barrier with only network access.

2
doc/newsfragments/ssl-corrupted-data.bugfix
View File

@ -1,2 +0,0 @@
Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients
under heavy load.

28
doc/release_notes/index.md
View File

@ -2,3 +2,31 @@ Release notes
=============
[comment]: <> (towncrier release notes start)
Barrier `2.3.4` ( `2021-11-01` )
================================
Security fixes
--------------
- Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075).
Previously repeated failing connections would leak file descriptors leading to Barrier being unable
to receive new connections from clients.
- Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076).
Previously it was possible for a malicious client or server to send excessive length messages
leading to denial of service by resource exhaustion.
- Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message.
This bug allowed an unauthenticated attacker to crash Barrier with only network access.
All of the above security issues have been reported by Matthias Gerstner who was really helpful
resolving them.
Bug fixes
---------
- Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients
under heavy load.