CVE-2022-29222

NameCVE-2022-29222
DescriptionPion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1011458

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
snowflake (PTS)sid, trixie, bookworm2.5.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
snowflakesource(unstable)2.2.0-11011458

Notes

https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh
https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412 (v2.1.5)
https://github.com/pion/dtls/releases/tag/v2.1.5
Search for package or bug name: Reporting problems