All older versions of protobuf-java are vulnerable to a DoS when parsing a malicious protobuf message. Users of protobuf-java and protobuf-kotlin, which includes non-Android grpc-java and non-Android grpc-kotlin users, should upgrade to protobuf-java 3.16.1, 3.18.2, or 3.19.2. See the protobuf advisory <https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67> .
protobuf-javalite and protobuf-kotlin-lite are not impacted, which means the majority of Android usages should not be impacted. Protobuf-kotlin is impacted because it has a dependency on protobuf-java. You can use `mvn dependency:tree` (Maven) or `gradle dependencies --configuration runtimeClasspath` (Java plugin Gradle) or `gradle dependencies --configuration releaseRuntimeClasspath` (Android Gradle) to determine the version of protobuf-java being used. ----- Users of com.google.cloud:libraries-bom should upgrade to 24.1.2 which selects the newer protobuf version. Other impacted gRPC users should add an explicit dependency on the newer version of protobuf-java to override the grpc-suggested version. Maven users are also encouraged to use Maven Enforcer's requireUpperBoundDeps to detect version downgrades. gRPC will be releasing patch releases that bump the protobuf version to aid pushing the vulnerable protobuf-java versions out of the ecosystem. Upgrading to these also resolves the issue, although Maven users must use requireUpperBoundDeps or manually verify the results with dependency:tree. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oOqmurs0QVBFokKgexzsRuP_A3nvu6j8tk4AF%2BmJjdK3Q%40mail.gmail.com.
