Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0
edcrewe opened this issue · comments
Please upgrade go.mod
See https://github.com/grpc/grpc-go/blob/cmd/protoc-gen-go-grpc/v1.3.0/cmd/protoc-gen-go-grpc/go.mod
Security issue with
require google.golang.org/protobuf v1.28.1
google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM │ fixed │ v1.28.1 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │
infinite loop in protojson.Unmarshal when unmarshaling certain forms of... https://avd.aquasec.com/nvd/cve-2024-24786
upgrade to
require google.golang.org/protobuf v1.33.0
(ideally upgrade to a more recent go version than 1.17 whilst you are at it!)
Sorry we realized you have already done this work, it is just waiting for a new release version for the changes at https://github.com/grpc/grpc-go/blob/master/cmd/protoc-gen-go-grpc/main.go
I'd like to wait on #7057 before doing the next release if possible, which might be a couple weeks.