gRPC Java 1.22.2 is released and available on Maven Central and JCenter. https://github.com/grpc/grpc-java/releases/tag/v1.22.2
This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade. Bug fixes - netty: Limit number of frames a client can cause the server to enqueue (#6056 <https://github.com/grpc/grpc-java/pull/6056>). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well - core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048 <https://github.com/grpc/grpc-java/pull/6048>). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 <https://github.com/googleapis/google-cloud-java/issues/5810> and googleapis/google-cloud-java#5801 <https://github.com/googleapis/google-cloud-java/issues/5801> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oMem%3DjT7G%3Df1qxav%3DUy9L0bkwj4XzYUkx0zK69MEhaE_A%40mail.gmail.com.
Description: S/MIME Cryptographic Signature