CVE-2023-6193 (https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm): quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received, leading to storage of path validation data in an unbounded queue.
Maintainer, please cleanup
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7d1d28c4208dc4bc5623639d3d34205c89b8c25 commit c7d1d28c4208dc4bc5623639d3d34205c89b8c25 Author: Craig Andrews <candrews@gentoo.org> AuthorDate: 2024-01-07 01:29:44 +0000 Commit: Craig Andrews <candrews@gentoo.org> CommitDate: 2024-01-07 01:30:37 +0000 net-libs/quiche: drop versions Closes: https://bugs.gentoo.org/919887 Signed-off-by: Craig Andrews <candrews@gentoo.org> net-libs/quiche/Manifest | 220 --------------------------- net-libs/quiche/quiche-0.14.0.ebuild | 236 ---------------------------- net-libs/quiche/quiche-0.15.0.ebuild | 236 ---------------------------- net-libs/quiche/quiche-0.16.0.ebuild | 236 ---------------------------- net-libs/quiche/quiche-0.17.1.ebuild | 240 ----------------------------- net-libs/quiche/quiche-0.17.2-r1.ebuild | 240 ----------------------------- net-libs/quiche/quiche-0.17.2.ebuild | 240 ----------------------------- net-libs/quiche/quiche-0.18.0.ebuild | 248 ------------------------------ net-libs/quiche/quiche-0.19.0.ebuild | 262 -------------------------------- 9 files changed, 2158 deletions(-)
