github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[PR #5245] [MERGED] bump pion/stun to v3 to fix vulnerability #5199

New issue
Closed
opened 2026-05-05 14:56:35 -06:00 by gitea-mirror · 0 comments
gitea-mirror commented 2026-05-05 14:56:35 -06:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5245
Author: @alexandear
Created: 3/19/2026
Status: Merged
Merged: 3/29/2026
Merged by: @fatedier

Base: devHead: bump-pion-stun

📝 Commits (1)

  • 1f01462 bump pion/stun to v3 to fix vulnerability

📊 Changes

5 files changed (+67 additions, -83 deletions)

View changed files

.github/workflows/security.yml (+21 -0)
📝 go.mod (+14 -14)
📝 go.sum (+30 -67)
📝 pkg/nathole/discovery.go (+1 -1)
📝 pkg/nathole/utils.go (+1 -1)

📄 Description

WHY

This PR bumps github.com/pion/stun and golang.org/x/crypto to fix vulnerabilities: GO-2026-4479 and GO-2025-4134.

Also, adds Security Scan workflow to run govulncheck automatically.

Details 

❯ go install golang.org/x/vuln/cmd/govulncheck@latest
❯ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2026-4479
    Usage of random nonce generation with AES GCM ciphers risks leaking the
    authentication key in github.com/pion/dtls
  More info: https://pkg.go.dev/vuln/GO-2026-4479
  Module: github.com/pion/dtls/v2
    Found in: github.com/pion/dtls/v2@v2.2.7
    Fixed in: N/A
    Example traces found:
      #1: client/http/controller.go:396:66: http.Controller.UpdateStoreVisitor calls fmt.Sprintf, which eventually calls alert.Description.String
      #2: client/http/controller.go:396:66: http.Controller.UpdateStoreVisitor calls fmt.Sprintf, which eventually calls alert.Level.String
      #3: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls alert.init
      #4: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ccm.init
      #5: client/http/controller.go:396:66: http.Controller.UpdateStoreVisitor calls fmt.Sprintf, which eventually calls ciphersuite.ID.String
      #6: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSEcdheEcdsaWithAes128Ccm
      #7: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSEcdheEcdsaWithAes128Ccm8
      #8: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSPskWithAes128Ccm
      #9: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSPskWithAes128Ccm8
      #10: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSPskWithAes256Ccm8
      #11: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.init
      #12: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.init
      #13: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls clientcertificate.init
      #14: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls closer.init
      #15: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which calls dtls.init
      #16: pkg/vnet/tun.go:99:20: vnet.tunDeviceWrapper.Write calls pool.GetBuf, which eventually calls dtls.init
      #17: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls elliptic.init
      #18: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls extension.init
      #19: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls handshake.init
      #20: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls hash.init
      #21: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls prf.init
      #22: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.FatalError.Error
      #23: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.FatalError.Temporary
      #24: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.FatalError.Timeout
      #25: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.FatalError.Unwrap
      #26: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.InternalError.Error
      #27: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.InternalError.Temporary
      #28: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.InternalError.Timeout
      #29: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.InternalError.Unwrap
      #30: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.TemporaryError.Error
      #31: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TemporaryError.Temporary
      #32: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TemporaryError.Timeout
      #33: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.TemporaryError.Unwrap
      #34: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.TimeoutError.Error
      #35: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TimeoutError.Temporary
      #36: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TimeoutError.Timeout
      #37: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.TimeoutError.Unwrap
      #38: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls protocol.init
      #39: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls recordlayer.init
      #40: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls signature.init
      #41: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls signaturehash.init
      #42: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls types.init
      #43: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls util.init

Vulnerability #2: GO-2025-4134
    Unbounded memory consumption in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2025-4134
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.41.0
    Fixed in: golang.org/x/crypto@v0.45.0
    Example traces found:
      #1: pkg/ssh/server.go:87:55: ssh.TunnelServer.Run calls ssh.NewServerConn

Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 2 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5245 **Author:** [@alexandear](https://github.com/alexandear) **Created:** 3/19/2026 **Status:** ✅ Merged **Merged:** 3/29/2026 **Merged by:** [@fatedier](https://github.com/fatedier) **Base:** `dev` ← **Head:** `bump-pion-stun` --- ### 📝 Commits (1) - [`1f01462`](https://github.com/fatedier/frp/commit/1f01462eda2d7a6949735646ae3b881df0ebc49c) bump pion/stun to v3 to fix vulnerability ### 📊 Changes **5 files changed** (+67 additions, -83 deletions) <details> <summary>View changed files</summary> ➕ `.github/workflows/security.yml` (+21 -0) 📝 `go.mod` (+14 -14) 📝 `go.sum` (+30 -67) 📝 `pkg/nathole/discovery.go` (+1 -1) 📝 `pkg/nathole/utils.go` (+1 -1) </details> ### 📄 Description ### WHY This PR bumps `github.com/pion/stun` and `golang.org/x/crypto` to fix vulnerabilities: [GO-2026-4479](https://pkg.go.dev/vuln/GO-2026-4479) and [GO-2025-4134](https://pkg.go.dev/vuln/GO-2025-4134). Also, adds Security Scan workflow to run [govulncheck](https://go.dev/blog/govulncheck) automatically. <details><summary>Details</summary> <p> ```console ❯ go install golang.org/x/vuln/cmd/govulncheck@latest ❯ govulncheck ./... === Symbol Results === Vulnerability #1: GO-2026-4479 Usage of random nonce generation with AES GCM ciphers risks leaking the authentication key in github.com/pion/dtls More info: https://pkg.go.dev/vuln/GO-2026-4479 Module: github.com/pion/dtls/v2 Found in: github.com/pion/dtls/v2@v2.2.7 Fixed in: N/A Example traces found: #1: client/http/controller.go:396:66: http.Controller.UpdateStoreVisitor calls fmt.Sprintf, which eventually calls alert.Description.String #2: client/http/controller.go:396:66: http.Controller.UpdateStoreVisitor calls fmt.Sprintf, which eventually calls alert.Level.String #3: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls alert.init #4: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ccm.init #5: client/http/controller.go:396:66: http.Controller.UpdateStoreVisitor calls fmt.Sprintf, which eventually calls ciphersuite.ID.String #6: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSEcdheEcdsaWithAes128Ccm #7: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSEcdheEcdsaWithAes128Ccm8 #8: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSPskWithAes128Ccm #9: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSPskWithAes128Ccm8 #10: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.NewTLSPskWithAes256Ccm8 #11: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.init #12: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls ciphersuite.init #13: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls clientcertificate.init #14: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls closer.init #15: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which calls dtls.init #16: pkg/vnet/tun.go:99:20: vnet.tunDeviceWrapper.Write calls pool.GetBuf, which eventually calls dtls.init #17: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls elliptic.init #18: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls extension.init #19: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls handshake.init #20: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls hash.init #21: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls prf.init #22: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.FatalError.Error #23: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.FatalError.Temporary #24: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.FatalError.Timeout #25: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.FatalError.Unwrap #26: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.InternalError.Error #27: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.InternalError.Temporary #28: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.InternalError.Timeout #29: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.InternalError.Unwrap #30: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.TemporaryError.Error #31: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TemporaryError.Temporary #32: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TemporaryError.Timeout #33: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.TemporaryError.Unwrap #34: client/proxy/proxy_wrapper.go:156:21: proxy.Wrapper.SetRunningStatus calls protocol.TimeoutError.Error #35: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TimeoutError.Temporary #36: pkg/util/http/server.go:99:19: http.Server.Run calls http.Server.Serve, which eventually calls protocol.TimeoutError.Timeout #37: client/service.go:263:16: client.Service.Run calls errors.As, which eventually calls protocol.TimeoutError.Unwrap #38: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls protocol.init #39: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls recordlayer.init #40: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls signature.init #41: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls signaturehash.init #42: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls types.init #43: pkg/nathole/discovery.go:22:2: nathole.init calls stun.init, which eventually calls util.init Vulnerability #2: GO-2025-4134 Unbounded memory consumption in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2025-4134 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.41.0 Fixed in: golang.org/x/crypto@v0.45.0 Example traces found: #1: pkg/ssh/server.go:87:55: ssh.TunnelServer.Run calls ssh.NewServerConn Your code is affected by 2 vulnerabilities from 2 modules. This scan also found 2 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. ``` </p> </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
gitea-mirror 2026-05-05 14:56:35 -06:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#5199
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?