This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.
The release is available on both JCenter and Maven Central. Dependencies - Bump netty to 4.1.38 - Bump PerfMark to 0.17.0 - Bump protobuf to 3.9.0 Bug Fixes - netty: Limit number of frames a client can cause the server to enqueue (#6056 <https://github.com/grpc/grpc-java/pull/6056>). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well - alts: Fix server hang (#5900 <https://github.com/grpc/grpc-java/pull/5900>) - context: Fix race between CancellableContext and Context (#5981 <https://github.com/grpc/grpc-java/pull/5981>) - stub: Avoid race in onHalfClose server StreamObserver (#5991 <https://github.com/grpc/grpc-java/pull/5991>) - core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048 <https://github.com/grpc/grpc-java/pull/6048>). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 <https://github.com/googleapis/google-cloud-java/issues/5810> and googleapis/google-cloud-java#5801 <https://github.com/googleapis/google-cloud-java/issues/5801> API Changes - core: Add @Nullable to getter for trailers on StatusRuntimeException ( #5951 <https://github.com/grpc/grpc-java/pull/5951>) - core: ClientStream.getAttributes() can be called at any time (#5904 <https://github.com/grpc/grpc-java/pull/5904>) - core,netty: Block server shutdown until the socket is unbound (#5905 <https://github.com/grpc/grpc-java/pull/5905>) - netty: Users providing EventLoopGroup and/or ChannelType for NettyServerBuilder and NettyChannelBuilder requires to provide all of them or none. Otherwise, it will throw an IllegalStateException (#6014 <https://github.com/grpc/grpc-java/pull/6014>) New Features - Make //compiler:grpc_java_plugin publicly visible again (#5947 <https://github.com/grpc/grpc-java/pull/5947>) - java_grpc_library.bzl: Work with proto_library rules using strip_import_prefix / import_prefix (#5959 <https://github.com/grpc/grpc-java/pull/5959>) - Make .proto import path computation work with virtual protos in the main repository (#5967 <https://github.com/grpc/grpc-java/pull/5967>) - core: Attach debug information about stream to DEADLINE_EXCEEDED (#5892 <https://github.com/grpc/grpc-java/pull/5892>) Documentation - Provide an example of hedging in examples <https://github.com/grpc/grpc-java/blob/master/examples> - compiler: Add note about where to download precompiled version of plugin (#6022 <https://github.com/grpc/grpc-java/pull/6022>) Acknowledgements @aaliddell <https://github.com/aaliddell> Adam Liddell @DarrienG <https://github.com/DarrienG> Darrien Glasser @jadekler <https://github.com/jadekler> Jean de Klerk @lberki <https://github.com/lberki> Lukacs T. Berki @liym <https://github.com/liym> stbridge @mkobit <https://github.com/mkobit> Mike Kobit @tiggerlee2 <https://github.com/tiggerlee2> Shuangtai Li @zhaonian <https://github.com/zhaonian> Zhaonian Luan -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/1f902d04-9d4d-42eb-965b-19318446c2e2%40googlegroups.com.
