starred/Cloak
1
0
Fork 0
mirror of https://github.com/cbeuw/Cloak.git synced 2026-04-25 04:25:59 +03:00
Code Issues 144 Projects Releases 10 Packages Wiki Activity

[PR #306] [CLOSED] fix(deps): update module github.com/refraction-networking/utls to v1.7.0 [security] - autoclosed #310

New issue
Closed
opened 2026-02-26 12:34:34 +03:00 by kerem · 0 comments
kerem commented 2026-02-26 12:34:34 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/cbeuw/Cloak/pull/306
Author: @renovate[bot]
Created: 4/23/2025
Status: Closed

Base: masterHead: renovate/go-github.com-refraction-networking-utls-vulnerability

📝 Commits (1)

  • e13ab26 Update module github.com/refraction-networking/utls to v1.7.0 [SECURITY]

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 go.mod (+1 -1)

📄 Description

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/refraction-networking/utls v1.6.6 -> v1.7.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-pmc3-p9hx-jq96

Description

Before version 1.7.0, utls did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a utls ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a utls client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because utls did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint utls connections.

Fix Commit or Pull Request

refraction-networking/utls#337, specifically refraction-networking/utls@f8892761e2

References

Release Notes

refraction-networking/utls (github.com/refraction-networking/utls)

v1.7.0

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/refraction-networking/utls/compare/v1.6.7...v1.7.0

v1.6.7: Allow inspecting Client Hello before locking Session/PSK

Compare Source

What's Changed

Full Changelog: https://github.com/refraction-networking/utls/compare/v1.6.6...v1.6.7

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/cbeuw/Cloak/pull/306 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 4/23/2025 **Status:** ❌ Closed **Base:** `master` ← **Head:** `renovate/go-github.com-refraction-networking-utls-vulnerability` --- ### 📝 Commits (1) - [`e13ab26`](https://github.com/cbeuw/Cloak/commit/e13ab26772124f47fe7e4fbec2f1b81205404067) Update module github.com/refraction-networking/utls to v1.7.0 [SECURITY] ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `go.mod` (+1 -1) </details> ### 📄 Description This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/refraction-networking/utls](https://redirect.github.com/refraction-networking/utls) | `v1.6.6` -> `v1.7.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2frefraction-networking%2futls/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2frefraction-networking%2futls/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2frefraction-networking%2futls/v1.6.6/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2frefraction-networking%2futls/v1.6.6/v1.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-pmc3-p9hx-jq96](https://redirect.github.com/refraction-networking/utls/security/advisories/GHSA-pmc3-p9hx-jq96) ### Description Before version 1.7.0, utls did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a utls ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a utls client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because utls did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint utls connections. ### Fix Commit or Pull Request refraction-networking/utls#337, specifically refraction-networking/utls@f8892761e2a4d29054264651d3a86fda83bc83f9 ### References - [https://github.com/refraction-networking/utls/issues/181](https://redirect.github.com/refraction-networking/utls/issues/181) --- ### Release Notes <details> <summary>refraction-networking/utls (github.com/refraction-networking/utls)</summary> ### [`v1.7.0`](https://redirect.github.com/refraction-networking/utls/releases/tag/v1.7.0) [Compare Source](https://redirect.github.com/refraction-networking/utls/compare/v1.6.7...v1.7.0) #### What's Changed - Fix Config.InsecureSkipTimeVerify not being respected by [@&#8203;adotkhan](https://redirect.github.com/adotkhan) in [https://github.com/refraction-networking/utls/pull/303](https://redirect.github.com/refraction-networking/utls/pull/303) - Fixes session ticket / PSK not set by [@&#8203;adotkhan](https://redirect.github.com/adotkhan) in [https://github.com/refraction-networking/utls/pull/302](https://redirect.github.com/refraction-networking/utls/pull/302) - fix: generate ClientHelloSpec only once by [@&#8203;adotkhan](https://redirect.github.com/adotkhan) in [https://github.com/refraction-networking/utls/pull/306](https://redirect.github.com/refraction-networking/utls/pull/306) - fix: extMasterSecret mismatch with extended_master_secret extension by [@&#8203;adotkhan](https://redirect.github.com/adotkhan) in [https://github.com/refraction-networking/utls/pull/307](https://redirect.github.com/refraction-networking/utls/pull/307) - Merge changes from go 1.23.4 by [@&#8203;mingyech](https://redirect.github.com/mingyech) in [https://github.com/refraction-networking/utls/pull/323](https://redirect.github.com/refraction-networking/utls/pull/323) - build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/refraction-networking/utls/pull/326](https://redirect.github.com/refraction-networking/utls/pull/326) - Merge changes from go 1.24.0 by [@&#8203;mingyech](https://redirect.github.com/mingyech) in [https://github.com/refraction-networking/utls/pull/329](https://redirect.github.com/refraction-networking/utls/pull/329) - Add Chrome 131 parrot and ML-KEM support by [@&#8203;BRUHItsABunny](https://redirect.github.com/BRUHItsABunny) in [https://github.com/refraction-networking/utls/pull/322](https://redirect.github.com/refraction-networking/utls/pull/322) - feat: add support for ECH when using custom clienthello specs by [@&#8203;mingyech](https://redirect.github.com/mingyech) in [https://github.com/refraction-networking/utls/pull/331](https://redirect.github.com/refraction-networking/utls/pull/331) - Fix check for TLS downgrade canary by [@&#8203;mingyech](https://redirect.github.com/mingyech) in [https://github.com/refraction-networking/utls/pull/337](https://redirect.github.com/refraction-networking/utls/pull/337) - build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/refraction-networking/utls/pull/336](https://redirect.github.com/refraction-networking/utls/pull/336) #### New Contributors - [@&#8203;mingyech](https://redirect.github.com/mingyech) made their first contribution in [https://github.com/refraction-networking/utls/pull/323](https://redirect.github.com/refraction-networking/utls/pull/323) - [@&#8203;BRUHItsABunny](https://redirect.github.com/BRUHItsABunny) made their first contribution in [https://github.com/refraction-networking/utls/pull/322](https://redirect.github.com/refraction-networking/utls/pull/322) **Full Changelog**: https://github.com/refraction-networking/utls/compare/v1.6.7...v1.7.0 ### [`v1.6.7`](https://redirect.github.com/refraction-networking/utls/releases/tag/v1.6.7): Allow inspecting Client Hello before locking Session/PSK [Compare Source](https://redirect.github.com/refraction-networking/utls/compare/v1.6.6...v1.6.7) #### What's Changed - Allow BuildHandshakeState to inspect ClientHello before setting SessionTicket/PSK by [@&#8203;adotkhan](https://redirect.github.com/adotkhan) in [https://github.com/refraction-networking/utls/pull/301](https://redirect.github.com/refraction-networking/utls/pull/301) **Full Changelog**: https://github.com/refraction-networking/utls/compare/v1.6.6...v1.6.7 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cbeuw/Cloak). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNDguNCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-02-26 12:34:34 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/go-github.com-refraction-networking-utls-vulnerability
dependabot/go_modules/golang.org/x/crypto-0.45.0
utls-1.7.0
deps-20250430
padding
docker-tests
ptspec
legacy-v1
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1-pre
v2.7.0
v2.6.1
v2.6.0
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.2
v2.3.1
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.2.0
v0.1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Cloak#310
No description provided.