Eight new DoS vulnerabilities in HTTP/2 implementations were disclosed
today, as detailed by CERT Vulnerability Note VU#605641
<https://kb.cert.org/vuls/id/605641/>. gRPC implementations were
potentially impacted by the following: CVE-2019-9512 (Ping Flood),
CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood).
The following versions of gRPC contain fixes to these CVEs:
- gRPC-Go: 1.23.0, 1.22.2, 1.21.3
- Original fix: grpc/grpc-go#2970
<https://github.com/grpc/grpc-go/pull/2970>)
- gRPC-Java: 1.23.0, 1.22.2, 1.21.1
- (These releases are currently available but may not be indexed on
search.maven.org.)
- Original fix: grpc/grpc-java#6056
<https://github.com/grpc/grpc-java/pull/6056>
- gRPC-C and wrapped languages: 1.23.0, 1.22.1
- (Releases currently in progress.)
- Original fix: grpc/grpc#19924
<https://github.com/grpc/grpc/pull/19924>
We recommend updating to one of these releases as soon as possible.
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/CAMTLisJ6q6sRCpdWVH9yf%2BCm6XANw7PuxB%2B1fwNjSqLE8X8trA%40mail.gmail.com.
