Update dependency grpcio to v1.53.2 [SECURITY] #353
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.47.0
->==1.53.2
GitHub Vulnerability Alerts
CVE-2023-32731
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
CVE-2023-1428
There exists an vulnerability causing an abort() to be called in gRPC.
The following headers cause gRPC's C++ implementation to abort() when called via http2:
te: x (x != trailers)
:scheme: x (x != http, https)
grpclb_client_stats: x (x == anything)
On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
CVE-2023-32732
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for
-bin
suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.CVE-2023-33953
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:
The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.
The unbounded memory buffering bugs:
Release Notes
grpc/grpc (grpcio)
v1.53.2
Compare Source
This is release gRPC Core 1.53.2 (glockenspiel).
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes.
Core
v1.53.1
Compare Source
This is release gRPC Core 1.53.1 (glockenspiel).
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes.
v1.53.0
Compare Source
This is release 1.53.0 (glockenspiel) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
Core
C++
C#
Python
Ruby
v1.52.0
Compare Source
This is release 1.52.0 (gribkoff) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
Core
C++
C#
Python
UnaryStreamCall
andStreamStreamCall
fromAsyncIterable
toAsyncIterator
. (#31906)Ruby
v1.51.3
Compare Source
This is release gRPC Core 1.51.3 (galaxy).
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.
Python
v1.51.1
Compare Source
This is release gRPC Core 1.51.1 (galaxy).
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes.
Python
v1.51.0
Compare Source
This is release gRPC Core 1.51.0 (galaxy).
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes.
Core
2022110
. (#31585)C++
C#
PHP
Python
v1.50.0
Compare Source
This is release gRPC Core 1.50.0 (galley).
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
Core
gpr_codegen
. (#30899)C++
C#
Python
Ruby
v1.49.1
Compare Source
This is release 1.49.1 (gamma) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
All
Ruby
v1.49.0
Compare Source
This is release 1.49.0 (gamma) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
Core
Python
Ruby
v1.48.2
Compare Source
This is release 1.48.2 (garum) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
All
v1.48.1
Compare Source
This is release 1.48.1 (garum) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
Core
v1.48.0
Compare Source
This is release 1.48.0 (garum) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
Core
2022062
.0 . (#30155)Python
Ruby
Objective-C
First developer preview of XCFramework binary distribution via Cocoapod (#28749).
This brings in significant speed up to local compile time and includes support for Apple Silicon build.
v1.47.5
Compare Source
This is release 1.47.5 (gridman) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.
Python
v1.47.2
Compare Source
This is release 1.47.2 (gridman) of gRPC Core.
For gRPC documentation, see grpc.io. For previous releases, see Releases.
This release contains refinements, improvements, and bug fixes, with highlights listed below.
All
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.