V2fly发布V4.44.0版本

时隔半年,V2ray社区组织V2fly宣布发布V4.44.0版本。该版本修复了一个重要的安全漏洞(DoS攻击漏洞),建议所有V2ray用户升级到最新版客户端。需要说明的是,该漏洞仅当客户端连接到恶意服务端才会触发,自行搭建服务端用户无需太过担心。

以下是V2fly关于V2ray v4.44.0版本的发行说明:

This release includes security enhancement for all users.

!!! Important SECURITY enhancement !!!

  • Fix DoS attack vulnerability in CommandSwitchAccountFactory. (Thanks @geeknik)

Fix

Security Advisory

This update fixes a DoS vulnerability in V2Ray. This vulnerability allows a VMess Server controlled by an attacker to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. This vulnerability does NOT allow the attacker to retrieve any information from a client other than it used an unpatched version of the software and does NOT allow attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank @geeknik for the responsible disclosure of this vulnerability.

此更新修复了在 V2Ray 中的一个拒绝服务攻击漏洞。这个漏洞允许攻击者控制的 VMess 服务器迫使 VMess 客户端崩溃。这个漏洞可以通过在 VMess 握手阶段向客户端发送一个恶意的回复数据包被触发,触发漏洞数据包的内容是比正确内容少一个字节的 VMess 切换账户指令。 攻击者 无法 通过这个漏洞获取来自客户端任何信息(除客户端尚未应用此安全更新以外),也 不会 允许攻击者控制客户端软件或系统。强烈推荐所有用户在第一时间应用本安全更新。我们在此感谢 @geeknik 将此漏洞负责任的披露给我们。

Important Message

V2Ray(V2Fly) will pre-release its next major version: V2Ray V5. In addition to functionality improvements, it will include a new configuration format and infrastructure changes that streamline the development of new protocols and functionalities.

The V4 version of the V2Ray will then enter maintenance mode. No additional features will be added by core developers, while contributors may still send pull requests for new features. It will receive bug fixes and security updates from core developers for a limited period until the full release of the V5 version. Contributors are encouraged to fork and base their changes from V5 version branch, instead of V4 version to reduce merge conflict. If you have already started the development of a change based on V4 version, you may send your pull request to V4 branch for a limited period. The core developers will cherry-pick that change into V5 version on your behave.

The pre-release version of V2Ray V5 may still contain bugs or inconsistencies. Some breaking updates to it are expected. You will need to change your configuration or codebase alongside us if you switch to V2Ray V5 now.

When V2Ray V5 pre-releases the master branch will switch to V5 version of the codebase, and the new V5 binary will be pre-released in the Github Release. They are not suitable for an automatic update from the V4 version.

Notice

Due to increase in size of the geoip.dat file recently, devices with insufficient ROM/RAM are experiencing difficulties in using V2Ray. The solution is as follows:

  • For RAM insufficient devices: Enable the Geodata loader optimized for memory-constrained devices by setting the environment variable V2RAY_CONF_GEOLOADER to value memconservative. For more details, see documentation.
  • For ROM insufficient devices:
    • Use the newly added GeoIP file geoip-only-cn-private.dat in the zip package or download it from release page, which only contains GeoIP list geoip:cn and geoip:private, or
    • Customize your own GeoIP file via project v2fly/geoip.

发表评论

您的电子邮箱地址不会被公开。