Security Vulnerability: Update grpc version to at least 1.58.3

Question

Security Vulnerability: Update grpc version to at least 1.58.3

RohanNagar opened this issue 9 months ago · comments

Rohan Nagar commented 9 months ago

Recently a CVE was discovered which affects the current version of grpc used by this tool.

GHSA-m425-mq94-257g

Please update google.golang.org/grpc to 1.58.3 or higher.

enakshipriya commented 6 months ago

+1

Scott Blum · Answer 1 · Fri Nov 10 2023 21:20:35 GMT+0800 (China Standard Time)

But grpcurl doesn't act as an http server? So how are we actually vulnerable?

Scott Blum · Answer 2 · Fri Nov 10 2023 21:21:18 GMT+0800 (China Standard Time)

In other words, I don't see any urgency on this. Dependabot will eventually push an update.

Rohan Nagar · Answer 3 · Sat Nov 11 2023 07:18:53 GMT+0800 (China Standard Time)

Agreed that the vulnerability shouldn't actually affect grpcurl. Unfortunately, security scanners are flagging this for us so we are looking to have the package upgraded.

Brandon Chesley · Answer 4 · Sat Feb 17 2024 00:21:18 GMT+0800 (China Standard Time)

+1 . Please :)

Scott Blum · Answer 5 · Sat Feb 17 2024 01:34:01 GMT+0800 (China Standard Time)

This was already fixed here: #427

Rohan Nagar · Answer 6 · Sat Feb 17 2024 13:23:59 GMT+0800 (China Standard Time)

@dragonsinth any idea when the next release will be?

Scott Blum · Answer 7 · Sat Feb 17 2024 21:12:25 GMT+0800 (China Standard Time)

IDK, I guess we could do one soon. I figure anyone who super-cares can build from code using the latest Go, to also pull in any hypothetical Golang fixes.