Skip to content
This repository has been archived by the owner on Oct 13, 2023. It is now read-only.

[19.03 backport] bump google.golang.org/grpc v1.23.0 (CVE-2019-9512, CVE-2019-9514, CVE-2019-9515) #340

Merged
merged 2 commits into from
Sep 23, 2019

Conversation

thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Aug 28, 2019

built on top of #339. the first commit is from #339 (rebased)

backport of moby#39798
fixes ENGCORE-975
addresses ENGCORE-971

full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Also updating containerd/ttrpc to get containerd/ttrpc#46 in;

full diff: containerd/ttrpc@699c4e4...92c8520

changes:

@thaJeztah thaJeztah modified the milestones: 19.03.2, 19.03.3 Aug 28, 2019
@thaJeztah thaJeztah force-pushed the 19.03_backport_bump_grpc branch 2 times, most recently from c4eb2b0 to 3c89c99 Compare September 6, 2019 21:07
@thaJeztah
Copy link
Member Author

Jenkins killed the PowerPC tests after 1 minute something (no idea why)

Screenshot 2019-09-07 at 01 25 24

@thaJeztah
Copy link
Member Author

kicked Jenkins again.. 7 times is a charm, right? 😂

full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit f1cd799)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: containerd/ttrpc@699c4e4...92c8520

changes:

- containerd/ttrpc#37 Handle EOF to prevent file descriptor leak
- containerd/ttrpc#38 Improve connection error handling
- containerd/ttrpc#40 Support headers
- containerd/ttrpc#41 Add client and server unary interceptors
- containerd/ttrpc#43 metadata as KeyValue type
- containerd/ttrpc#42 Refactor close handling for ttrpc clients
- containerd/ttrpc#44 Fix method full name generation
- containerd/ttrpc#46 Client.Call(): do not return error if no Status is set (gRPC v1.23 and up)
- containerd/ttrpc#49 Handle ok status

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 8769255)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Member Author

7 times is a charm, right? 😂

Apparently not; 8 and 9 were no luck as well; kicked number 10 (and disabled RS1)

Copy link

@andrewhsu andrewhsu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

Copy link

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@andrewhsu andrewhsu merged commit c27f11f into docker-archive:19.03 Sep 23, 2019
@thaJeztah thaJeztah deleted the 19.03_backport_bump_grpc branch September 23, 2019 16:34
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants