0.17.12.

Author: briansmith

Cargo.toml

@@ -13,14 +13,14 @@ repository = "https://github.com/ctz/ring"
 rust-version = "1.63.0"
 
 # Keep in sync with `links` below.
-version = "0.17.11"
+version = "0.17.12"
 
 # Keep in sync with `version` above.
 #
 # build.rs verifies that this equals "ring_core_{major}_{minor}_{patch}_{pre}"
 # as keeping this in sync with the symbol prefixing is crucial for ensuring
 # the safety of multiple versions of *ring* being used in a program.
-links = "ring_core_0_17_11_"
+links = "ring_core_0_17_12_"
 
 include = [
     "LICENSE",

RELEASES.md

@@ -0,0 +1,14 @@
+Version 0.17.12 (2025-03-05)
+============================
+Bug fix: https://github.com/briansmith/ring/pull/2447 for denial of service (DoS).
+
+Fixes a panic in `ring::aead::quic::HeaderProtectionKey::new_mask()` when
+integer overflow checking is enabled. Integer overflow checking is not enabled
+in release mode by default, but `RUSTFLAGS="-C overflow-checks"` or
+`overflow-checks = true` in the Cargo.toml profile can override this.
+
+This panic could also be hit when using `ring::aead::aes_gcm` when
+encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes)
+of data using AES-GCM in a single packet. Networking protocols, like SSH and
+TLS, can't be affected by this because they break data sent/received into much,
+much smaller packet sizes.