🔒 0.20.1
- Added a limit to how many connection IDs are locally queued for retirement. Without the limit an attacker could cause a server to queue an unbounded number of retired connection IDs, leading to a slow but steady increase in memory usage (CVE-2024-1410).
- Added a limit to the maximum
CRYPTO
frame data offset that can be buffered. Without the limit an attacker could cause a server to queue an unbounded number of bytes, leading to a slow but steady increase in memory usage (CVE-2024-1765).
Full changelog at 0.20.0...0.20.1