This update fixes a DoS vulnerability in V2Ray. This vulnerability allows a VMess Server controlled by an attacker to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. This vulnerability does NOT allow the attacker to retrieve any information from a client other than it used an unpatched version of the software and does NOT allow attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank @geeknik for the responsible disclosure of this vulnerability.
V2Ray(V2Fly) will pre-release its next major version: V2Ray V5. In addition to functionality improvements, it will include a new configuration format and infrastructure changes that streamline the development of new protocols and functionalities.
The V4 version of the V2Ray will then enter maintenance mode. No additional features will be added by core developers, while contributors may still send pull requests for new features. It will receive bug fixes and security updates from core developers for a limited period until the full release of the V5 version. Contributors are encouraged to fork and base their changes from V5 version branch, instead of V4 version to reduce merge conflict. If you have already started the development of a change based on V4 version, you may send your pull request to V4 branch for a limited period. The core developers will cherry-pick that change into V5 version on your behave.
The pre-release version of V2Ray V5 may still contain bugs or inconsistencies. Some breaking updates to it are expected. You will need to change your configuration or codebase alongside us if you switch to V2Ray V5 now.
When V2Ray V5 pre-releases the master branch will switch to V5 version of the codebase, and the new V5 binary will be pre-released in the Github Release. They are not suitable for an automatic update from the V4 version.
Notice
Due to increase in size of the geoip.dat file recently, devices with insufficient ROM/RAM are experiencing difficulties in using V2Ray. The solution is as follows:
For RAM insufficient devices: Enable the Geodata loader optimized for memory-constrained devices by setting the environment variable V2RAY_CONF_GEOLOADER to value memconservative. For more details, see documentation.
For ROM insufficient devices:
Use the newly added GeoIP file geoip-only-cn-private.dat in the zip package or download it from release page, which only contains GeoIP list geoip:cn and geoip:private, or
Customize your own GeoIP file via project v2fly/geoip.
v4.43.0
Features
Shadowsocks Send Shadowsocks handshake with payload data if available (#1292 Thanks @nekohasekai)
TFO Custom TCP Fast Open queue length support (#1293 Thanks @AkinoKaede)
V2Ray(V2Fly) will pre-release its next major version: V2Ray V5. In addition to functionality improvements, it will include a new configuration format and infrastructure changes that streamline the development of new protocols and functionalities.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/orvice/v2ray-manager/network/alerts).
Bumps github.com/v2fly/v2ray-core/v4 from 4.41.0 to 4.44.0.
Release notes
Sourced from github.com/v2fly/v2ray-core/v4's releases.
... (truncated)
Commits
9936afaupdate versionc1af2bfFix DoS attack vulnerability in CommandSwitchAccountFactory7b0699eApply timeout to dns outbound (#1330)e621175update versionb3e0d54Remove unnecessary log.75eead5Fix: Remove udp conn twicea4cd311Fix flaky TestVMessDynamicPort (#723)9458a1aFix some tests to use udp.PickPort()deb9d08refactor: move from io/ioutil to io and os package (#1298)b25a9e5Feat: custom TCP Fast Open queue length (#1293)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/orvice/v2ray-manager/network/alerts).