v2.6.4

Author: tobyxdd

docs/docs/Changelog.md

@@ -4,6 +4,14 @@ hide:
   - navigation
 ---
 
+## 2.6.4
+
+> This release contains important fixes and we strongly encourage everyone to upgrade.
+
+- Security fix & behavior change: `tls.pinSHA256` now matches only the fingerprint of the leaf certificate, instead of any certificate in the chain. This change mitigates MITM risks in cases where `insecure=true` by preventing 1) user accidentally pinning a CA certificate, which would allow any certificate issued by that CA to be accepted, and 2) attacker constructing a forged certificate chain by combining their own leaf certificate with the user server's certificate.
+- Fix tun mode UDP packet AF corruption
+- Updated quic-go to v0.54.0
+
 ## 2.6.3
 
 - Added mTLS support for client certificate authentication

docs/docs/Changelog.zh.md

@@ -4,6 +4,14 @@ hide:
   - navigation
 ---
 
+## 2.6.4
+
+> 此版本包含重要修复，强烈建议更新
+
+- 安全修复与行为变更：`tls.pinSHA256` 现在只会匹配叶子证书的指纹，而不是整条链中任意证书。此改动在 `insecure=true` 的情况下避免了中间人攻击风险，特别是以下两种情况： 1) 用户错误地 pin 了 CA 证书，从而导致该 CA 签发的任何证书都能被接受；2) 攻击者伪造证书链，将自己的叶子证书与用户服务器的证书拼接使用。
+- 修复 tun 模式下 UDP 包 AF 字段损坏问题
+- quic-go 更新到 v0.54.0
+
 ## 2.6.3
 
 - 新增 mTLS 客户端证书验证

docs/docs/getting-started/Server-Installation-Script.md

@@ -48,7 +48,7 @@ bash <(curl -fsSL https://get.hy2.sh/)
 Install or upgrade to a specified version.
 
 ```sh
-bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.3
+bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.4
 ```
 
 ### Uninstall

docs/docs/getting-started/Server-Installation-Script.zh.md

@@ -48,7 +48,7 @@ bash <(curl -fsSL https://get.hy2.sh/)
 安装或升级为指定版本，不进行版本检查。
 
 ```sh
-bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.3
+bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.4
 ```
 
 ### 卸载