Update module github.com/refraction-networking/utls to v1.7.0 [SECURITY] (!621) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake

This MR contains the following updates:

Package	Type	Update	Change
github.com/refraction-networking/utls	require	minor	`v1.6.7` -> `v1.7.0`

uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries

GHSA-pmc3-p9hx-jq96 / GO-2025-3638

More information

Details

Description

Before version 1.7.0, utls did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a utls ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a utls client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because utls did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint utls connections.

Fix Commit or Merge Request

refraction-networking/utls#337, specifically refraction-networking/utls@f8892761e2a4d29054264651d3a86fda83bc83f9

References

https://github.com/refraction-networking/utls/issues/181

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/MR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

ServerHellos are accepted without checking TLS 1.3 downgrade canaries in github.com/refraction-networking/utls

GHSA-pmc3-p9hx-jq96 / GO-2025-3638

More information

Details

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

refraction-networking/utls (github.com/refraction-networking/utls)

`v1.7.0`

Compare Source

What's Changed

Fix Config.InsecureSkipTimeVerify not being respected by @adotkhan in #303
Fixes session ticket / PSK not set by @adotkhan in #302
fix: generate ClientHelloSpec only once by @adotkhan in #306
fix: extMasterSecret mismatch with extended_master_secret extension by @adotkhan in #307
Merge changes from go 1.23.4 by @mingyech in #323
build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 by @dependabot in #326
Merge changes from go 1.24.0 by @mingyech in #329
Add Chrome 131 parrot and ML-KEM support by @BRUHItsABunny in #322
feat: add support for ECH when using custom clienthello specs by @mingyech in #331
Fix check for TLS downgrade canary by @mingyech in #337
build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 by @dependabot in #336

New Contributors

@mingyech made their first contribution in #323
@BRUHItsABunny made their first contribution in #322

Full Changelog: https://github.com/refraction-networking/utls/compare/v1.6.7...v1.7.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Sep 15, 2025 by Renovate Bot

Update module github.com/refraction-networking/utls to v1.7.0 [SECURITY]

uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries

Details

Description

Fix Commit or Merge Request

References

Severity

References

ServerHellos are accepted without checking TLS 1.3 downgrade canaries in github.com/refraction-networking/utls

Details

Severity

References

Release Notes

v1.7.0

What's Changed

New Contributors

Configuration

Merge request reports

`v1.7.0`