v4.34.0 Released

https://github.com/v2fly/v2ray-core/releases/tag/v4.34.0

Breaking Changes
* Support for the legacy Shadowsocks protocol with stream ciphers has been removed (#566). If you are still using the unsecure stream ciphers, migrate to Shadowsocks AEAD (ChaCha20Poly1305 and AES-GCM) immediately.
* Binaries of the following architectures are no longer a part of the release: s390x, ppc64, ppc64le, mips softfloat.

Changes
* DNS: refactoring DNS (#169)
* DNS: support DNS over QUIC (#534) (currently only non-proxied lookup)
* DNS: add clientIp feature support for every nameserver (#504)
* Release: add Android release (#512)
* Android: default dns set to 8.8.8.8:53 (#572)
* TLS Session Resumption is now disabled by default (#569). See #557 for more information.
* SessionTicketsDisabled is now true by default. See #557 for more information.
* SOCKS: Refine socks5 server UdpAssociate response behavior (#523)
* SOCKS: Fix socks client UDP outbound's wrong destination (#522)
* HTTP2: listen port failed use error level log (#576)
* DNS: refine skipRoutePick (#558)
* DNS: compatible with localhost nameserver (#530)
* DNS & Routing: refine rule parsing process (#528)
* Config: multi-JSON config overide (#409)
* Release: migrate release from Azure Pipelines to GitHub Actions (#453 #468)
* Logging: Prevent trailing whitespaces in logs (#526)
* Test: add race detector
* Minor changes and fixes by U-v-U, CalmLong, dyhkwong

v4.35.1 Released

https://github.com/v2fly/v2ray-core/releases/tag/v4.35.1

New Features
* FakeDNS, an imaginary DNS server to preserve the domain information even if the software do not support proxy settings
* HybridDomainMatcher: a faster and more memory-efficient routing rule matcher.
* Outbound transport level proxySettings: comprehensive chained proxy support
* Support Apple Silicon: add pre-built binary for Apple Silicon named v2ray-macos-arm64-v8a.zip
* VMess: add zero pseudo encryption for better performance
* Support to disable DNS cache

So many other improvements see Github Release Note for detail.

v4.36.1 released.
—
Features

* Transport: add gRPC / gun transport. This transport's connections can be relayed over Nginx and other supported CDNs, have an ALPN of h2 and a built-in mux. (#757 #783)
-> Docs: Transport; gRPC transport

* Proxy: add loopback proxy. This proxy allows you to send connections back to router to be routed again. It is a drop-in replacement for modified outbound address and dokodemo-door setup while using less system resources. (#770)
-> Docs: Loopback

* Routing: add a faster and more memory-efficient routing rule matcher MphDomainMatcher that uses minimal perfect hash. (#743)
-> Docs: Routing

Fixes

* DNS: Refined DNS default setting logics in Android (#767)
* FakeDNS: use 198.18.0.0/15 as default FakeDNS IP pool (#779)

Notices

* VMess: From Jan 1, 2022, compatibility for legacy VMess MD5 will be disabled by default. Visit here for more information.
* You are able to compile exactly the same binaries as the ones in Assets section below by simply following the compiling guide.

For Downstream Developers

The Go module name of v2ray-core has been changed to github.com/v2fly/v2ray-core/v4. Do NOT use v2ray.com/core anymore.

v4.38.0 is released. (Unstable Release)

This release includes security functionality improvement for some users.

Feature

* FakeDNS: Added fakedns+others sniffer. Thanks yuhan6665 .
* TLS: A SECURITY improvement that allow the remote peer's TLS certificate to be pinned to a known value.
* Observatory: A component that measure the connectivity of selected outbounds.
* Routing : leastPing balancing strategy is added. This strategy will select a outbound that is alive and completed HTTPS GET request in the least time.

Chore

* Fixed two typo in comments. Thanks U-v-U

Security Advisory

* TLS connections with dangerous diagnose option allowInsecure turn on and without certificate pin with pinnedPeerCertificateChainSha256 will not be able protect your data at all from a attacker in privileged network path(for example ISP or any firewall or censorship infrastructure). This is especially dangerous when an unprotected protocol or option is used, such as any VLess configuration, VMess with none or zero security, and any trojan configuration, in which case your data is accessible to attacker in plain text and attacker can inject arbitrary data pretending to the the remote server. In the case of VLess and trojan, the proxy protocol access control credential is also exposed to the attacker, the attacker will be able to use your proxy. You are advised to use certificate pin (and/or other security features provided in a later version of V2Ray) whenever allowInsecure is turned on. Attempting to MITM your connection temporarily to identify TLS based proxy is a known threat.

v4.38.3 is released. (Stable Release)

This release includes security functionality improvement for some users.

Feature

* FakeDNS: Added fakedns+others sniffer. Thanks yuhan6665 .
* TLS: A SECURITY improvement that allow the remote peer's TLS certificate to be pinned to a known value.
* Observatory: A component that measure the connectivity of selected outbounds.
* Routing : leastPing balancing strategy is added. This strategy will select a outbound that is alive and completed HTTPS GET request in the least time.

Fix

* Fixed crashing in fake dns. Thanks IceCodeNew
* Added IPv6 pool in fake dns by default. Thanks Loyalsoldier
* Return ErrEmptyResponse for fakedns. Thanks sixg0000d
* Fixed UDP DNS connection cause crash. Thanks nekohasekai
* Multi-json support for observatory, browser forwarder. Thanks ha-ku AkinoKaede

Chore

* Fixed two typo in comments. Thanks U-v-U

Security Advisory

* TLS connections with dangerous diagnose option allowInsecure turn on and without certificate pin with pinnedPeerCertificateChainSha256 will not be able protect your data at all from a attacker in privileged network path(for example ISP or any firewall or censorship infrastructure). This is especially dangerous when an unprotected protocol or option is used, such as any VLess configuration, VMess with none or zero security, and any trojan configuration, in which case your data is accessible to attacker in plain text and attacker can inject arbitrary data pretending to the the remote server. In the case of VLess and trojan, the proxy protocol access control credential is also exposed to the attacker, the attacker will be able to use your proxy. You are advised to use certificate pin (and/or other security features provided in a later version of V2Ray) whenever allowInsecure is turned on. Attempting to MITM your connection temporarily to identify TLS based proxy is a known threat.

Due to increase in size of the geoip.dat file recently, devices with insufficient ROM/RAM are experiencing difficulties in using V2Ray. The solution is as follows:

* For RAM insufficient devices: Enable the Geodata loader optimized for memory-constrained devices by setting the environment variable V2RAY_CONF_GEOLOADER to value memconservative. For more details, see [documentation](https://www.v2fly.org/config/env.html#geodata-%E6%96%87%E4%BB%B6%E5%8A%A0%E8%BD%BD%E5%99%A8).
* For ROM insufficient devices:
* Use the newly added GeoIP file geoip-only-cn-private.dat in the zip package or download it from [release page](https://github.com/v2fly/geoip/releases), which only contains GeoIP list geoip:cn and geoip:private, or
* Customize your own GeoIP file via project [v2fly/geoip](https://github.com/v2fly/geoip).

v4.44.0 is released. (Stable, Security Release)

This release includes security enhancement for all users.

!!! Important SECURITY enhancement !!!
* Fix DoS attack vulnerability in CommandSwitchAccountFactory. (Thanks geeknik)

Security Advisory
This update fixes a DoS vulnerability in V2Ray. This vulnerability allows a VMess Server controlled by an attacker to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. This vulnerability does NOT allow the attacker to retrieve any information from a client other than it used an unpatched version of the software and does NOT allow attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank geeknik for the responsible disclosure of this vulnerability.

此更新修复了在 V2Ray 中的一个拒绝服务攻击漏洞。这个漏洞允许攻击者控制的 VMess 服务器迫使 VMess 客户端崩溃。这个漏洞可以通过在 VMess 握手阶段向客户端发送一个恶意的回复数据包被触发，触发漏洞数据包的内容是比正确内容少一个字节的 VMess 切换账户指令。 攻击者 *无法* 通过这个漏洞获取来自客户端任何信息（除客户端尚未应用此安全更新以外），也 *不会* 允许攻击者控制客户端软件或系统。强烈推荐所有用户在第一时间应用本安全更新。我们在此感谢 geeknik 将此漏洞负责任的披露给我们。

v4.45.2 v5.0.7 is released. (Security Release)
This release includes security enhancement for all users.

## !!! Important SECURITY enhancement !!!
* Fix DoS attack vulnerability in VMess Option Processing. (Thanks @nekohasekai )

## Security Advisory
This update fixes a DoS vulnerability in V2Ray. This vulnerability allows a VMess Client with authentication information controlled by an attacker to crash a VMess Server by sending a specially crafted VMess handshake message with an invalid option or encryption type. This vulnerability does NOT allow the attacker to retrieve any information(other than it used an unpatched version of the software) and does NOT allow an attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank @nekohasekai for the discovery of this vulnerability.

此更新修复了在 V2Ray 中的一个拒绝服务攻击漏洞。这个漏洞允许攻击者控制的拥有认证信息的 VMess 客户端迫使 VMess 服务器端崩溃。这个漏洞可以通过在 VMess 握手阶段由客户端发送一个恶意的数据包被触发，触发漏洞数据包拥有无效的选项或加密方式。 攻击者 无法 通过这个漏洞获取任何信息（除客户端尚未应用此安全更新以外），也 不会 允许攻击者控制客户端软件或系统。强烈推荐所有用户在第一时间应用本安全更新。我们在此感谢 @nekohasekai 发现此漏洞。

Edit: Fixed a typo. Last version of this document withdrawn.

v5.2.1 User Preview is released. (stable version)

New Features
uTLS: TLS Client Hello imitation
DNS: Support per-client configuration
DNS: Support specifying domain matcher
Add bind to device to Windows and Darwin.
Replace default Health Ping URL to HTTPS for burst observatory.
Implement Match and MatchAny for all MatcherGroup, IndexMatcher

It also includes fixes to known issues, please refer to release note for more info.

v5.3.0 User Preview is released. (stable version)

New Features
uTLS: uTLS APLN Control

It also includes fixes to known issues, please refer to release note for more info.

v5.5.0 User Preview is released. (stable version)

It includes fixes to known issues, please refer to release note for more info.

v5.6.0 User Preview is released. (unstable version)

New Features
HTTP Proxy: Add h1SkipWaitForReply Option to HTTP Proxy Protocol; This allow you to run a V2Ray compatible HTTP Proxy server over WebSocket protocol on workerd.
set v2ray binary as an entrypoint in container images

In the upcoming release, we are adding support for a new transport: meek. It is highly censorship resistant by converting stream into plain HTTP request/responses, allowing it to be reflected by any service that can relay HTTP request/responses.

在下个版本中将包含新传输协议 meek 。此协议可以将连接转换为一般 HTTP 请求回复， 以期使用任何支持转发 HTTP 请求的服务来转发 meek 连接，无需再担心 IP 被封锁， WebSocket CDN 被阻碍的问题。这个协议的速度很有限，不求跑满万兆带宽，只愿送抵万金家书。

v5.7.0 User Preview is released. (unstable version)

New Features
meek transport: plain HTTP request/response based transport. Its traffic can be forwarded by any service that can forward HTTP traffics.

A V2Ray developer have delivered a keynote speech at Free and Open Communications on the Internet 2023 named Bridging the gap between anti-censorship research and real world problems. The script for this keynote is now released: https://github.com/v2fly/v2ray-core/discussions/2623

v5.9.0 User Preview is released. (stable version)
New Features
Tun service: It allows the creation of tun interface that accept network packet and convert them to stream based traffic. This is an alternative method of transparent proxy. It is supported on arm64 and amd64 version of Linux operating system.
uTLS h2 transport support.

v5.10.1 User Preview is released.
New Features
HTTPUpgrade transport: It is a reduced version of WebSocket Transport that can pass many reverse proxies and CDNs without running a WebSocket protocol stack. We have a questionnair ready for you once you tried to deploy it. It will help us improve this transport and V2Ray. 新功能：HTTPUpgrade 传输协议，精简版 WebSocket 免去使用Websocket 协议栈的同时还能继续被反向代理CDN转发。在您尝试部署后欢迎填写问卷反馈体验帮助 V2Ray 改进。问卷支持中文。

There was some transient(hopefully) instability of GitHub that shows a 404 result for some of V2Ray/Fly's repo, however, do not panic, we are here to stay and stand with you. 目前GitHub出现了一些临时(但愿) 的异常以至于V2的仓库出现404无法访问异常。不要惊慌，因为我们不屈不渝，与你同在！

v5.11.0 User Preview is released. (stable version)
New Features
Feat: add sniffing for TUN

v5.12.0 User Preview is released. (unstable version)
New Features
Shadowsocks2022 Client Support
Apply DomainStrategy to outbound target
Add DomainStrategy to JSONv5 outbound

v5.13.0 User Preview is released. (unstable version)
New Features
Subscription Manager: added subscription support.