CVE issue

Question

CVE issue

limbuster opened this issue a year ago · comments

Can we make a new release to address the following CVE? The updated version of the affected package has already been merged to master branch.

Affected package: google.golang.org/grpc
Vulnerability: GHSA-m425-mq94-257g | gRPC-Go HTTP/2 Rapid Reset vulnerability

Kuljeet Kumar · Answer 1 · Thu Oct 26 2023 16:13:31 GMT+0800 (China Standard Time)

+1 Release Urgently Required.

Štefan Baebler · Answer 2 · Thu Oct 26 2023 22:21:52 GMT+0800 (China Standard Time)

CVE-2023-44487 was already

partially fixed related CVE-2023-44487 in release v0.4.21 via #160 and
grpc fixed on master via unreleased #166.

It seems it just needs a release.

Kumar Limbu · Answer 3 · Fri Oct 27 2023 09:49:59 GMT+0800 (China Standard Time)

@stefanb Yes, just needs a new release.

ns-yuhanl · Answer 4 · Fri Oct 27 2023 09:56:03 GMT+0800 (China Standard Time)

@stefanb yes, we just need a new release with the updated google.golang.org/grpc

Štefan Baebler · Answer 5 · Fri Oct 27 2023 12:12:00 GMT+0800 (China Standard Time)

@ahmetb, please review above and if you agree create a new release v0.4.22 at:
https://github.com/grpc-ecosystem/grpc-health-probe/releases/new

Ahmet Alp Balkan · Answer 6 · Fri Oct 27 2023 13:59:24 GMT+0800 (China Standard Time)

I don't think this impacts grpc clients? This tool is not a grpc server either so I don't think it's applicable. It's quite laborious to keep releasing updates for issues not really impacting the tool.

Ahmet Alp Balkan · Answer 7 · Fri Oct 27 2023 14:03:09 GMT+0800 (China Standard Time)

Tagged v0.4.22.

Štefan Baebler · Answer 8 · Fri Oct 27 2023 14:29:00 GMT+0800 (China Standard Time)

I don't think this impacts grpc clients? This tool is not a grpc server either so I don't think it's applicable. It's quite laborious to keep releasing updates for issues not really impacting the tool.

Indeed. But people are getting warnings (false positive in this case) from various tools and want to silence them.