CVE-2022-29189

NameCVE-2022-29189
DescriptionPion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, a buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or timed out. An attacker could exploit this to cause excessive memory usage. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1011457

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
snowflake (PTS)sid, trixie, bookworm2.5.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
snowflakesource(unstable)2.2.0-11011457

Notes

https://github.com/pion/dtls/security/advisories/GHSA-cx94-mrg9-rq4j
https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de (v2.1.4)
https://github.com/pion/dtls/releases/tag/v2.1.4
Search for package or bug name: Reporting problems