mirror of
https://github.com/cbeuw/Cloak.git
synced 2026-04-25 04:25:59 +03:00
[PR #328] fix(deps): update module github.com/refraction-networking/utls to v1.8.2 [security] #319
Labels
No labels
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/Cloak#319
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/cbeuw/Cloak/pull/328
Author: @renovate[bot]
Created: 2/19/2026
Status: 🔄 Open
Base:
master← Head:renovate/go-github.com-refraction-networking-utls-vulnerability📝 Commits (1)
2e66821fix(deps): update module github.com/refraction-networking/utls to v1.8.2 [security]📊 Changes
2 files changed (+3 additions, -1 deletions)
View changed files
📝
go.mod(+1 -1)📝
go.sum(+2 -0)📄 Description
This PR contains the following updates:
v1.8.0→v1.8.2GitHub Vulnerability Alerts
CVE-2026-27017
There is a fingerprint mismatch with Chrome when using GREASE ECH, having to do with ciphersuite selection. When Chrome selects the preferred ciphersuite in the outer ClientHello and the ciphersuite for ECH, it does so consistently based on hardware support. That means, for example, if it prefers AES for the outer ciphersuite, it would also use AES for ECH. The Chrome parrot in utls hardcodes AES preference for outer ciphersuites but selects the ECH ciphersuite randomly between AES and ChaCha20. So there is a 50% chance of selecting ChaCha20 for ECH while using AES for the outer ciphersuite, which is impossible in Chrome.
This is only a problem in GREASE ECH, since in real ECH Chrome selects the first valid ciphersuite when AES is preferred, which is the same in utls. So no change is done there.
Affected symbols:
HelloChrome_120,HelloChrome_120_PQ,HelloChrome_131,HelloChrome_133Fix commit: 24bd1e05a788c1add7f3037f4532ea552b2cee07
Thanks to telegram @acgdaily for reporting this issue.
CVE-2026-26995
The padding extension was incorrectly removed in utls for the non-pq variant of Chrome 120 fingerprint. Chrome removed this extension only when sending pq keyshares. Only this fingerprint is affected since newer fingerprints have pq keyshares by default and older fingerprints have this extension.
Affected symbols:
HelloChrome_120Fix commit: 8fe0b08e9a0e7e2d08b268f451f2c79962e6acd0
Thanks to telegram @acgdaily for reporting this issue.
Release Notes
refraction-networking/utls (github.com/refraction-networking/utls)
v1.8.2: security updateCompare Source
Fixes a fingerprint mismatch on the Chrome 120 fingerprint. Credit to telegram @acgdaily for reporting this issue.
What's Changed
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.8.1...v1.8.2
v1.8.1: Bug fixesCompare Source
This update includes several bug fixes.
In particular, users of Chrome>=120 parrots should update ASAP. See #375 for details. Thanks to the original reporter for reporting this issue.
What's Changed
PubServerHelloMsg.ServerShareis not exported correctly by @wwqgtxx in #361New Contributors
Full Changelog: https://github.com/refraction-networking/utls/compare/v1.8.0...v1.8.1
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.