CVE-2023-46239

NameCVE-2023-46239
Descriptionquic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-lucas-clemente-quic-go (PTS)bullseye0.19.3-1fixed
bookworm0.29.0-1fixed
sid, trixie0.46.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-lucas-clemente-quic-gosource(unstable)(not affected)

Notes

- golang-github-lucas-clemente-quic-go <not-affected> (Vulnerable version never in a unstable release; only affects 0.37.x)
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 (v0.37.3)
Search for package or bug name: Reporting problems