Skip to content

v0.50.1

Latest

Choose a tag to compare

@yhirose yhirose released this 12 Jul 01:40

What's Changed

Security fixes

  • Fix use-after-free of TLS session in WebSocketClient::shutdown_and_close() (GHSA-w7p7-f35j-mw7q). shutdown_and_close() freed the TLS session before ws_->close() sent the WebSocket close frame. The WebSocket's SSLSocketStream keeps a raw pointer to that session, so sending the close frame read/wrote a freed SSL object. This affects any wss:// client that is destroyed (or reconnected via connect()) while the connection is still open, without an explicit close() first. The close frame is now sent while the session is still alive, and the session is freed afterward. Regression tests covering both the destroy-while-open and reconnect-while-open paths were added

Full Changelog: v0.50.0...v0.50.1