File _patchinfo of Package patchinfo.19087

<patchinfo incident="19087">
  <issue tracker="bnc" id="1235164">VUL-0: CVE-2023-49295: v2ray-core: github.com/quic-go/quic-go: memory exhaustion attack against QUIC's path validation mechanism</issue>
  <issue tracker="bnc" id="1243946">VUL-0: CVE-2025-29785: v2ray-core: github.com/quic-go/quic-go/internal/ackhandler: loss recovery logic for path probe packets can be used by a malicious QUIC client to trigger a null pointer dereference</issue>
  <issue tracker="bnc" id="1222488">VUL-0: CVE-2024-22189: v2ray-core: quic-go: memory exhaustion attack against QUIC's connection ID mechanism</issue>
  <issue tracker="cve" id="2024-22189"/>
  <issue tracker="cve" id="2025-297850"/>
  <packager>hillwood</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for v2ray-core</summary>
  <description>This update for v2ray-core fixes the following issues:

- Update version to 5.33.0
  * bump github.com/quic-go/quic-go from 0.51.0 to 0.52.0(boo#1243946 and CVE-2025-297850)
  * Update other vendor source

- Update version to 5.31.0
  * Add Dns Proxy Response TTL Control
  * Fix call newError Base with a nil value error
  * Update vendor (boo#1235164)

- Update version to 5.29.3
  * Enable restricted mode load for http protocol client
  * Correctly implement QUIC sniffer when handling multiple initial packets
  * Fix unreleased cache buffer in QUIC sniffing
  * A temporary testing fix for the buffer corruption issue
  * QUIC Sniffer Restructure

- Update version to 5.22.0
  * Add packetEncoding for Hysteria
  * Add ECH Client Support
  * Add support for parsing some shadowsocks links
  * Add Mekya Transport
  * Fix bugs

- Update version to 5.18.0
  * Add timeout for http request roundtripper
  * Fix ss2022 auth reader size overflow
  * Add pie build mode to all binary builds
  * Support "services" root config in cfgv4
  * packet_encoding for config v4
  * add MPTCP support
  * Add (Experimental) Meyka Building Blocks to request Transport
  * Add timeout for http request roundtripper
  * Hysteria2: Add Hysteria2 Protocol
  * Add AllowInsecureIfPinnedPeerCertificate option to tls security
  * Add tls certChainHash command
  * add support for socket activation
  * Add pprof flag for debugging
  * Fix bugs

- Update version to 5.16.1
  * Add Keep-Alive to removed headers

 - Update version to 5.15.1
   * feat: RandomStrategy AliveOnly
   * Improve container image tags and timestamp
   * Add delay_auth_write to Socks5 Client Advanced Config
   * Add MaxMin TLS version support in TLS Setting
   * feat: RandomStrategy AliveOnly
   * Improve container image tags and timestamp
   * Fixed an encrypted traffic's malleable vulnerability that allow 
     integrity corruption by an attacker with a privileged network 
     position to silently drop segments of traffic from an encrypted 
     traffic stream.
   * Update documents
   * Fix bugs
- Update vendor, fix CVE-2024-22189 boo#1222488

- Update version to 5.12.1
  * Shadowsocks2022 Client Support
  * Apply DomainStrategy to outbound target
  * Add DomainStrategy to JSONv5 outbound
  * Add sniffing for TUN
  * Add HTTPUpgrade transport
  * It is a reduced version of WebSocket Transport that can pass many
    reverse proxies and CDNs without running a WebSocket protocol stack
  * TUN Support
  * Add uTLS support for h2 transport
  * Fix bugs
</description>
</patchinfo>
openSUSE Build Service is sponsored by