Find more live information in Aikido here: https://app.aikido.dev/queue?sidebarIssue=25238446&groupId=77741&sidebarIssueTask=3780363&sidebarTab=tasks
Scope
These issues affect the following code repository:
- datafusion-ducklake: Cargo.lock
TLDR
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic.
How to fix
We recommend updating from 0.11.13 to 0.11.14.
Find more live information in Aikido here: https://app.aikido.dev/queue?sidebarIssue=25238446&groupId=77741&sidebarIssueTask=3780363&sidebarTab=tasks
Scope
These issues affect the following code repository:
TLDR
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic.
How to fix
We recommend updating from 0.11.13 to 0.11.14.