Release notes for v2.3.4

2024-11-22 07:20:15 +03:00 · 2021-11-01 21:31:01 +02:00 · 2021-11-01 21:31:01 +02:00 · 56177d461a
commit 56177d461a
parent e7bdcb5249
5 changed files with 28 additions and 18 deletions
--- a/doc/newsfragments/close-failed-handshake-connections.bugfix
+++ b/doc/newsfragments/close-failed-handshake-connections.bugfix
@ -1,6 +0,0 @@
-SECURITY ISSUE
-
-Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075).
-
-Previously repeated failing connections would leak file descriptors leading to Barrier being unable
-to receive new connections from clients.
--- a/doc/newsfragments/enforce-maximum-message-length.bugfix
+++ b/doc/newsfragments/enforce-maximum-message-length.bugfix
@ -1,6 +0,0 @@
-SECURITY ISSUE
-
-Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076).
-
-Previously it was possible for a malicious client or server to send excessive length messages
-leading to denial of service by resource exhaustion.
--- a/doc/newsfragments/fix-crash-on-ssl-hello.bugfix
+++ b/doc/newsfragments/fix-crash-on-ssl-hello.bugfix
@ -1,4 +0,0 @@
-SECURITY ISSUE
-
-Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message.
-This bug allowed an unauthenticated attacker to crash Barrier with only network access.
--- a/doc/newsfragments/ssl-corrupted-data.bugfix
+++ b/doc/newsfragments/ssl-corrupted-data.bugfix
@ -1,2 +0,0 @@
-Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients
-under heavy load.
--- a/doc/release_notes/index.md
+++ b/doc/release_notes/index.md
@ -2,3 +2,31 @@ Release notes
 =============

 [comment]: <> (towncrier release notes start)
+
+Barrier `2.3.4` ( `2021-11-01` )
+================================
+
+Security fixes
+--------------
+
+- Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075).
+
+  Previously repeated failing connections would leak file descriptors leading to Barrier being unable
+  to receive new connections from clients.
+
+- Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076).
+
+  Previously it was possible for a malicious client or server to send excessive length messages
+  leading to denial of service by resource exhaustion.
+
+- Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message.
+  This bug allowed an unauthenticated attacker to crash Barrier with only network access.
+
+All of the above security issues have been reported by Matthias Gerstner who was really helpful
+resolving them.
+
+Bug fixes
+---------
+
+- Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients
+  under heavy load.