Skip to content

build(deps): bump quiche from 0.29.1 to 0.29.2#1817

Merged
kixelated merged 2 commits into
mainfrom
dependabot/cargo/quiche-0.29.2
Jun 20, 2026
Merged

build(deps): bump quiche from 0.29.1 to 0.29.2#1817
kixelated merged 2 commits into
mainfrom
dependabot/cargo/quiche-0.29.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps quiche from 0.29.1 to 0.29.2.

Release notes

Sourced from quiche's releases.

🛡️ 0.29.2

⚠️ Security:

  • Fixed a use-after-free in quiche_connection_id_iter_next(), which is part of quiche's C FFI API. The iterator previously returned a pointer to a cloned connection ID whose backing storage was dropped before the caller could read it. It now returns pointers to connection IDs owned by the iterator.
  • Fixed a use-after-free in quiche_conn_retired_scid_next(), which is also part of the C FFI API. The function previously returned a pointer to a retired source connection ID whose backing storage was dropped before the caller could read it. It has been replaced by quiche_conn_retired_scid_iter(), which drains retired source connection IDs into an iterator before exposing them to callers.

The C FFI API is disabled by default via the ffi feature. The normal Rust API is not affected by these issues.

Breaking changes:

  • The C API function quiche_conn_retired_scid_next() was removed and replaced with quiche_conn_retired_scid_iter() to avoid returning pointers to temporary memory. Applications using quiche_conn_retired_scid_next() should call quiche_conn_retired_scid_iter(conn), iterate with quiche_connection_id_iter_next(), and release the iterator with quiche_connection_id_iter_free().

Highlights:

  • Fixed stream send-buffer accounting so congestion controller app-limited detection and Stats::tx_buffered_state track the actual bytes buffered in stream send buffers. This avoids buffered byte-count drift across retransmissions, ACKs, and stream shutdown/reset paths.

Full changelog at 0.29.1...0.29.2

Commits
  • 839b23d quiche: release 0.29.2
  • f2db946 ffi: fix use-after-free in quiche_conn_retired_scid_next
  • 386ad63 ffi: fix use-after-free in quiche_connection_id_iter_next
  • 65a85fb Fix tx_buffered computation so it matches the sum of bytes in stream buffers ...
  • 6b5a13c Remove unused imports in qlog-dancer component (#2511)
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Jun 19, 2026
Bumps [quiche](https://github.com/cloudflare/quiche) from 0.29.1 to 0.29.2.
- [Release notes](https://github.com/cloudflare/quiche/releases)
- [Commits](cloudflare/quiche@0.29.1...0.29.2)

---
updated-dependencies:
- dependency-name: quiche
  dependency-version: 0.29.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/quiche-0.29.2 branch from dad3fd8 to 6e43a56 Compare June 20, 2026 00:24
@kixelated kixelated enabled auto-merge (squash) June 20, 2026 05:00
@kixelated kixelated disabled auto-merge June 20, 2026 05:00
@kixelated kixelated merged commit 4ac4199 into main Jun 20, 2026
1 check passed
@kixelated kixelated deleted the dependabot/cargo/quiche-0.29.2 branch June 20, 2026 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant