-
Notifications
You must be signed in to change notification settings - Fork 773
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve CVE-2023-32731 #4647
Resolve CVE-2023-32731 #4647
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #4647 +/- ##
=======================================
Coverage 84.98% 84.99%
=======================================
Files 314 314
Lines 12683 12685 +2
=======================================
+ Hits 10779 10781 +2
Misses 1904 1904
|
@@ -7,7 +7,7 @@ | |||
<ItemGroup> | |||
<PackageVersion Include="Google.Protobuf" Version="[3.19.4,4.0)" /> | |||
<PackageVersion Include="Grpc" Version="[2.44.0,3.0)" /> | |||
<PackageVersion Include="Grpc.Net.Client" Version="[2.45.0,3.0)" /> | |||
<PackageVersion Include="Grpc.Net.Client" Version="[2.52.0,3.0)" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure 2.52.0 contains the fix? Based on the PR you reference, it looks like when it was merged its commit is tagged with 2.53.0 grpc/grpc@29d8bee
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, my mistake the fix was the PR is against the core grpc repo not Grpc.Net.Client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2.52.0
is also the lowest available version of the package with no known vulnerabilities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.nuget.org/packages/Grpc.Net.Client this is the one we'll be using.
I guess the general rule here is to reference the lowest version that is not deprecated?
@Kielek heads up... |
@open-telemetry/dotnet-instrumentation-maintainers FYI |
@alanwest, thanks for the information. Unfortunately, it is a good reason to update. |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
grpc/grpc#32309