mirror of
https://github.com/ethereum/go-ethereum.git
synced 2026-06-04 14:08:39 +00:00
45698e9cb9
### Summary Closes #34621. `github.com/pion/dtls/v2` is affected by [CVE-2026-26014](https://nvd.nist.gov/vuln/detail/CVE-2026-26014); the fix lives in `github.com/pion/dtls/v3`. In this tree, dtls/v2 is pulled in indirectly via `github.com/pion/stun/v2 v2.0.0` (declared at `go.mod:53`), which is the only direct consumer — `p2p/nat/stun.go` is the sole call site. `github.com/pion/stun/v3` already uses dtls/v3, so bumping `stun` upgrades the vulnerable dependency without touching `pion/dtls` directly. ### API check The v3 surface used by `p2p/nat/stun.go` is byte-identical in shape to v2: | Symbol | v2 | v3 | |---|---|---| | `Dial` | `func Dial(network, address string) (*Client, error)` | same | | `Build` | `func Build(setters ...Setter) (*Message, error)` | same | | `TransactionID` | `var TransactionID Setter` | same | | `BindingRequest` | `var BindingRequest = NewType(MethodBinding, ClassRequest)` | same | | `Event` | `type Event struct` | same | | `XORMappedAddress` | `type XORMappedAddress struct { … GetFrom(*Message) error }` | same | | `DefaultPort` | `const DefaultPort = 3478` | same | So the code change is just the import rename plus an alias rename to keep the local label honest (`stunV2` → `stunV3`). ### Change `go.mod` / `go.sum`: - Replace direct `github.com/pion/stun/v2 v2.0.0` with `github.com/pion/stun/v3 v3.0.1`. - `go mod tidy` drops every `pion/dtls/v2` and `pion/stun/v2` entry from `go.sum` and pulls `pion/dtls/v3 v3.0.7`, `pion/stun/v3 v3.0.1`, `pion/transport/v3 v3.0.8` as the new indirect set. `p2p/nat/stun.go`: - Update the import path and rename the alias from `stunV2` to `stunV3`. ### Verification - `go build ./p2p/nat/` clean. - `go test ./p2p/nat/ -count=1` passes (26s). - `grep 'pion/dtls/v2\|pion/stun/v2' go.sum` returns zero matches. ### Notes - `pion/dtls` is not imported directly anywhere in the tree, so no other code needs touching. - `pion/transport/v3` was already in the dependency graph (the `stun/v3` upgrade just bumps the patch from v3.0.1 → v3.0.8); the v2 transport drops out cleanly. |
||
|---|---|---|
| .. | ||
| discover | ||
| dnsdisc | ||
| enode | ||
| enr | ||
| msgrate | ||
| nat | ||
| netutil | ||
| pipes | ||
| rlpx | ||
| tracker | ||
| config.go | ||
| config_toml.go | ||
| dial.go | ||
| dial_test.go | ||
| message.go | ||
| message_test.go | ||
| metrics.go | ||
| peer.go | ||
| peer_error.go | ||
| peer_test.go | ||
| protocol.go | ||
| server.go | ||
| server_nat.go | ||
| server_nat_test.go | ||
| server_test.go | ||
| transport.go | ||
| transport_test.go | ||
| util.go | ||
| util_test.go | ||