forks/go-ethereum
1
0
Fork 1
mirror of https://github.com/ethereum/go-ethereum.git synced 2026-06-04 14:08:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
go-ethereum/p2p/nat
History
ozpool 45698e9cb9
p2p/nat: bump pion/stun to v3 to pull in fixed pion/dtls (#34980) 
### Summary

Closes #34621.

`github.com/pion/dtls/v2` is affected by
[CVE-2026-26014](https://nvd.nist.gov/vuln/detail/CVE-2026-26014); the
fix lives in `github.com/pion/dtls/v3`. In this tree, dtls/v2 is pulled
in indirectly via `github.com/pion/stun/v2 v2.0.0` (declared at
`go.mod:53`), which is the only direct consumer — `p2p/nat/stun.go` is
the sole call site.

`github.com/pion/stun/v3` already uses dtls/v3, so bumping `stun`
upgrades the vulnerable dependency without touching `pion/dtls`
directly.

### API check

The v3 surface used by `p2p/nat/stun.go` is byte-identical in shape to
v2:

| Symbol | v2 | v3 |
|---|---|---|
| `Dial` | `func Dial(network, address string) (*Client, error)` | same
|
| `Build` | `func Build(setters ...Setter) (*Message, error)` | same |
| `TransactionID` | `var TransactionID Setter` | same |
| `BindingRequest` | `var BindingRequest = NewType(MethodBinding,
ClassRequest)` | same |
| `Event` | `type Event struct` | same |
| `XORMappedAddress` | `type XORMappedAddress struct { …
GetFrom(*Message) error }` | same |
| `DefaultPort` | `const DefaultPort = 3478` | same |

So the code change is just the import rename plus an alias rename to
keep the local label honest (`stunV2` → `stunV3`).

### Change

`go.mod` / `go.sum`:

- Replace direct `github.com/pion/stun/v2 v2.0.0` with
`github.com/pion/stun/v3 v3.0.1`.
- `go mod tidy` drops every `pion/dtls/v2` and `pion/stun/v2` entry from
`go.sum` and pulls `pion/dtls/v3 v3.0.7`, `pion/stun/v3 v3.0.1`,
`pion/transport/v3 v3.0.8` as the new indirect set.

`p2p/nat/stun.go`:

- Update the import path and rename the alias from `stunV2` to `stunV3`.

### Verification

- `go build ./p2p/nat/` clean.
- `go test ./p2p/nat/ -count=1` passes (26s).
- `grep 'pion/dtls/v2\|pion/stun/v2' go.sum` returns zero matches.

### Notes

- `pion/dtls` is not imported directly anywhere in the tree, so no other
code needs touching.
- `pion/transport/v3` was already in the dependency graph (the `stun/v3`
upgrade just bumps the patch from v3.0.1 → v3.0.8); the v2 transport
drops out cleanly.
2026-05-27 13:38:18 +02:00
..
nat.go all: use fmt.Appendf instead of fmt.Sprintf where possible (#31301) 2025-03-25 14:53:02 +01:00
nat_test.go p2p/nat: add stun protocol (#31064) 2025-01-24 16:16:02 +01:00
natpmp.go p2p/nat: remove forceful port mapping in upnp (#30265) 2025-04-04 10:56:55 +02:00
natupnp.go p2p/nat: fix err shadowing in UPnP addAnyPortMapping (#33355) 2025-12-08 15:02:24 +01:00
natupnp_test.go all: replace strings.Replace with string.ReplaceAll (#24835) 2022-05-09 13:13:23 +03:00
stun-list-update.sh p2p/nat: add stun protocol (#31064) 2025-01-24 16:16:02 +01:00
stun-list.txt p2p/nat: add stun protocol (#31064) 2025-01-24 16:16:02 +01:00
stun.go p2p/nat: bump pion/stun to v3 to pull in fixed pion/dtls (#34980) 2026-05-27 13:38:18 +02:00
stun_test.go p2p/nat: remove test with default servers (#31225) 2025-02-21 10:42:54 +08:00