What's Changed
Security fixes
- Fix use-after-free of TLS session in
WebSocketClient::shutdown_and_close()(GHSA-w7p7-f35j-mw7q).shutdown_and_close()freed the TLS session beforews_->close()sent the WebSocket close frame. The WebSocket'sSSLSocketStreamkeeps a raw pointer to that session, so sending the close frame read/wrote a freed SSL object. This affects anywss://client that is destroyed (or reconnected viaconnect()) while the connection is still open, without an explicitclose()first. The close frame is now sent while the session is still alive, and the session is freed afterward. Regression tests covering both the destroy-while-open and reconnect-while-open paths were added
Full Changelog: v0.50.0...v0.50.1