v0.39.4
·
254 commits
to master
since this release
This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:
- limit the number of queued PATH_RESPONSE frames to 256 (#4199)
- don't retransmit PATH_CHALLENGE and PATH_RESPONSE frames (#4200)
Full Changelog: v0.39.3...v0.39.4