Sourced from github.com/quic-go/quic-go's releases.

v0.60.0

Starting with v0.60.0, quic-go is ready for use in FIPS 140-3 environments when built with Go 1.26 or newer and used with the Go Cryptographic Module. See FIPS140.md for details.

This required a number of changes:

• switch QUIC HKDF usage to the standard library crypto/hkdf: #5461
• use the Go standard library's TLS 1.3 AES-GCM implementation for QUIC packet protection AEADs: #5624
• use cipher.NewGCMWithRandomNonce for address validation token encryption: #5625
• disable FIPS 140-3 enforcement for the Retry packet integrity tag, which is outside the FIPS 140-3 scope: #5630
• disable FIPS 140-3 enforcement for Initial packet protection, whose secrets are derived from public RFC constants: #5640
• guard the internal ChaCha20-Poly1305 code path so it is not used in FIPS 140-3 mode: #5633
• add FIPS / non-FIPS data transfer integration tests, including Retry and key updates: #5646

Breaking Changes

• quic-go now requires Go 1.25 or newer: #5561

Notable Fixes

• path probe packets now correctly pass the OOB data (needed to select the correct network interface in some system configurations): #5544, thanks to @​on-keyday
• cancel the Stream and SendStream context when the connection is closed: #5556, thanks to @​zvdy
• http3: validate Extended CONNECT ``:protocol` pseudo-header values according to HTTP token syntax: #5639
• http3: always set http.Request.Scheme and http.Request.Host: #5554, thanks to @​qiulaidongfeng
• http3: fixed a nil pointer dereference when Server.Logger is unset: #5671
• fix maximum datagram size estimation after MTU discovery: #5650, thanks to @​jinq0123
• OpenStreamSync now reliably returns the context error when the context is cancelled: #5660

Behind the scenes

In the last couple of months, we have reworked our fuzz setup and the integration into OSS-Fuzz: First of all, all fuzzers were rewritten to Go native fuzzing (#5592, #5599, #5600, #5603, #5613). We also added new fuzzers for the HTTP/3 frame parser (#5595), HTTP/3 request, response and trailer decoding (#5602) and the STREAM / CRYPTO frame sorter (#5620).

Since native Go fuzzing uses a different seed corpus format, we now use the newly implemented go-ossfuzz-seeds library to generate OSS-Fuzz compatible seed corpus files from f.Add calls.

We also enable ClusterFuzzLite batch fuzzing (#5605), including. a seed corpus (#5607). Fuzz coverage for both ClusterFuzzLite batch fuzzing (#5641) and for OSS-Fuzz fuzzing (#5655) is now submitted to Codecov.

Changelog

• README: update nodepass link and description in quic-go/quic-go#5545
• ci: always use the latest Go patch release by @​marten-seemann in quic-go/quic-go#5560
• ci: update golangci-lint to v2.9.0 by @​marten-seemann in quic-go/quic-go#5559
• update to Go 1.26, drop Go 1.24 by @​marten-seemann in quic-go/quic-go#5561
• remove synctest wrapper needed for Go 1.24 by @​marten-seemann in quic-go/quic-go#5563
• ci: remove stray golangci-lint rule for ConnectionTracing(ID|Key) by @​marten-seemann in quic-go/quic-go#5565
• handshake: use the tls.QUICErrorEvent added in Go 1.26 by @​marten-seemann in quic-go/quic-go#5564
• pass OOB data to select network interface when sending path probes by @​on-keyday in quic-go/quic-go#5544
• remove special treatment for Go 1.24 in tests by @​marten-seemann in quic-go/quic-go#5568
• remove unneeded version switches for ECH ClientHello fragmentation test by @​marten-seemann in quic-go/quic-go#5567
• use sync.WaitGroup.Go added in Go 1.25 by @​marten-seemann in quic-go/quic-go#5566
• README: Fix NodePass GitHub stars badge link in quic-go/quic-go#5570
• cancel stream context when the connection is closed by @​zvdy in quic-go/quic-go#5556
• http3: always set Scheme and Host of Request.URL field by @​qiulaidongfeng in quic-go/quic-go#5554

... (truncated)

• 7612ad1 fix maximum datagram size estimation after MTU discovery (#5650)
• c29d679 log build date and revisions in OSS-Fuzz build script (#5674)
• 2728695 ci: bump docker/setup-qemu-action from 4.0.0 to 4.1.0 (#5673)
• 4e4845b http3: fix nil pointer dereference when Server.Logger is unset (#5671)
• 25c8e61 make frame sorter fuzz corpus accessible to OSS-Fuzz (#5670)
• e444e69 ci: bump docker/login-action from 4.1.0 to 4.2.0 (#5668)
• 23256b5 ci: bump docker/setup-buildx-action from 4.0.0 to 4.1.0 (#5665)
• a7a3ef9 ci: bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#5666)
• 0b49963 ci: bump docker/build-push-action from 7.1.0 to 7.2.0 (#5667)
• 4f3577c ci: bump codecov/codecov-action from 6.0.0 to 6.0.1 (#5664)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)