Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0

Question

Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0

edcrewe opened this issue 2 months ago · comments

Please upgrade go.mod

See https://github.com/grpc/grpc-go/blob/cmd/protoc-gen-go-grpc/v1.3.0/cmd/protoc-gen-go-grpc/go.mod
Security issue with

require google.golang.org/protobuf v1.28.1

google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM │ fixed │ v1.28.1 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │
infinite loop in protojson.Unmarshal when unmarshaling certain forms of... https://avd.aquasec.com/nvd/cve-2024-24786

upgrade to

require google.golang.org/protobuf v1.33.0

(ideally upgrade to a more recent go version than 1.17 whilst you are at it!)

Ed Crewe · Answer 1 · Thu Apr 04 2024 19:07:27 GMT+0800 (China Standard Time)

Sorry we realized you have already done this work, it is just waiting for a new release version for the changes at https://github.com/grpc/grpc-go/blob/master/cmd/protoc-gen-go-grpc/main.go

Doug Fawley · Answer 2 · Thu Apr 04 2024 23:43:20 GMT+0800 (China Standard Time)

I'd like to wait on #7057 before doing the next release if possible, which might be a couple weeks.