v2.3.4
Security fixes
-
Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075).
Previously repeated failing connections would leak file descriptors leading to Barrier being unable to receive new connections from clients.
-
Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076).
Previously it was possible for a malicious client or server to send excessive length messages leading to denial of service by resource exhaustion.
-
Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message. (fixes CVE-2021-42074). This bug allowed an unauthenticated attacker to crash Barrier with only network access.
All of the above security issues have been reported by Matthias Gerstner who was really helpful for resolving them.
Bug fixes
- Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients under heavy load.