Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Update google.golang.org/grpc and golang.org/x/net #1075

Merged
merged 1 commit into from
Oct 31, 2023
Merged

chore(deps): Update google.golang.org/grpc and golang.org/x/net #1075

merged 1 commit into from
Oct 31, 2023

Conversation

yitsushi
Copy link
Collaborator

Reason: GHSA-m425-mq94-257g

Impact

In affected releases of gRPC-Go, it is possible for an attacker to
send HTTP/2 requests, cancel them, and send subsequent requests, which
is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to
launch more concurrent method handlers than the configured maximum
stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in
patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the
latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using
the grpc.MaxConcurrentStreams server option to apply a limit to the
server's resources used for any single connection.

Workarounds

None.

References:

@yitsushi yitsushi mentioned this pull request Oct 30, 2023
Merged
@yitsushi yitsushi requested a review from chanwit October 30, 2023 16:56
@yitsushi yitsushi marked this pull request as ready for review October 30, 2023 16:56
yiannistri
yiannistri reviewed Oct 31, 2023
View reviewed changes
go.mod Outdated
@@ -205,7 +197,7 @@ replace (
github.com/hashicorp/terraform-exec v0.16.1 => github.com/tf-controller/terraform-exec v0.15.1-0.20220809152546-4850a69faedb

// Fix CVE-2023-32731
google.golang.org/grpc => google.golang.org/grpc v1.53.0
google.golang.org/grpc => google.golang.org/grpc v1.56.3
Copy link
Contributor

@yiannistri yiannistri Oct 31, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would move this out of the replace directive, as I don't understand why we need to pin this to an earlier version. Alternatively if we have to pin it to a specific version, I would update the comment above to indicate which CVE this addresses.

@yitsushi
chore(deps): Update google.golang.org/grpc and golang.org/x/net
17087f8 
Reason: GHSA-m425-mq94-257g

> Impact
>
> In affected releases of gRPC-Go, it is possible for an attacker to
> send HTTP/2 requests, cancel them, and send subsequent requests, which
> is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to
> launch more concurrent method handlers than the configured maximum
> stream limit.
>
> Patches
>
> This vulnerability was addressed by #6703 and has been included in
> patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the
> latest release, 1.59.0.
>
> Along with applying the patch, users should also ensure they are using
> the grpc.MaxConcurrentStreams server option to apply a limit to the
> server's resources used for any single connection.
>
> Workarounds
>
> None.

References:
* GHSA-m425-mq94-257g
* grpc/grpc-go#6703

Signed-off-by: Balazs Nadasdi <balazs@weave.works>
@yitsushi yitsushi merged commit 63102b3 into main Oct 31, 2023
15 checks passed
@bigkevmcd bigkevmcd deleted the sec-update-grpc branch December 12, 2023 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yiannistri yiannistri yiannistri approved these changes

@chanwit chanwit Awaiting requested review from chanwit

@squaremo squaremo Awaiting requested review from squaremo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yitsushi @yiannistri