Upgrade to go-socks5 v0.1.0 (security fix)

[shihiro09]

go-socks5 supports UDP ASSOCIATE (which is nice), but go-socks5 v0.0.5 unconditionally binds on all interfaces when ASSOCIATE is invoked. This means, in theory, if your SOCKS5 client were to call UDP ASSOCIATE on wireproxy's socks5 server, it would allow anyone on your wifi/lan to piggyback through your WG tunnel by port scanning you and sending encapsulated UDP packets through the bound ASSOCIATE tunnel. This can be dangerous if you're on any kind of public WIFI.

This behavior was fixed in v0.1.0. It now either binds to the loopback or the bindIP (depending on the value of useBindIpBaseResolveAsUdpAddr).

I feel comfortable disclosing this publicly because I see it as low risk: very few socks5 clients support ASSOCIATE, and the UDP tunnel can only be opened by calling ASSOCIATE through a TCP connection to the socks5 proxy.

Please upgrade to v0.1.0, but also, please leave UDP ASSOCIATE enabled (it's very useful).

Full disclosure: I haven't confirmed this is a true vulnerability, but reading from my reading of the code, it definitely seems to be an attack vector.

- Hiro

[shihiro09]

Also might be worth upgrading after these PRs are merged:

• fix: prevent nil pointer panic in handleAssociate logging things-go/go-socks5#113
• fix: add defensive checks in handleAssociate to prevent panics things-go/go-socks5#114

ASSOCIATE seems to be randomly segfaulting at the moment.