Package: v2ray
Version: 4.34.0-1
Control: severity -1 serious
This bug is submitted by upstream developers for a serious DoS bug
within V2Ray that have been patched in upstream since 05 Dec 2021, and
subsequently published but remain unpatched in Debian. The fix for this
bug is included in v4.44.0
(https://github.com/v2fly/v2ray-core/releases/tag/v4.44.0).
It have been identified as:
CVE-2021-4070 (https://nvd.nist.gov/vuln/detail/CVE-2021-4070)
This vulnerability allows a VMess Server controlled by an attacker to
crash a VMess Client by sending a specially crafted handshake response
reply with an (optional) VMess SwitchAccount Command that is one byte
shorter than expected. This vulnerability does NOT allow the attacker to
retrieve any information from a client other than it used an unpatched
version of the software and does NOT allow attacker to control the
unpatched software or system. It is strongly recommended for all users
to apply this security update at the earliest possible opportunity. We
would like to thank geeknik for the responsible disclosure of this
vulnerability.
Fix:
https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c