Eight new DoS vulnerabilities in HTTP/2 implementations were disclosed today, as detailed by CERT Vulnerability Note VU#605641 <https://kb.cert.org/vuls/id/605641/>. gRPC implementations were potentially impacted by the following: CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood).
The following versions of gRPC contain fixes to these CVEs: - gRPC-Go: 1.23.0, 1.22.2, 1.21.3 - Original fix: grpc/grpc-go#2970 <https://github.com/grpc/grpc-go/pull/2970>) - gRPC-Java: 1.23.0, 1.22.2, 1.21.1 - (These releases are currently available but may not be indexed on search.maven.org.) - Original fix: grpc/grpc-java#6056 <https://github.com/grpc/grpc-java/pull/6056> - gRPC-C and wrapped languages: 1.23.0, 1.22.1 - (Releases currently in progress.) - Original fix: grpc/grpc#19924 <https://github.com/grpc/grpc/pull/19924> We recommend updating to one of these releases as soon as possible. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAMTLisJ6q6sRCpdWVH9yf%2BCm6XANw7PuxB%2B1fwNjSqLE8X8trA%40mail.gmail.com.