Are there any POCs or steps to reproduce this vulnerability in grpc can be provided? And what operations can user take to reduce the risk of attack at present.
在2023年10月26日星期四 UTC+8 04:26:11<veb...@google.com> 写道: > gRPC C++, Python, and Ruby will soon have a 1.59.2 patch release to > address CVE-2023-44487. Thus, 1.60 or later will have this fix. > gRPC ObjC and PHP are not affected by this CVE because they do not support > the server feature that has the vulnerability. > > > On Tuesday, October 24, 2023 at 6:56:22 AM UTC-7 Hemant Jain wrote: > >> I see there's PR for the same https://github.com/grpc/grpc/pull/34763. >> does this takes care of python module too? >> >> On Monday, October 23, 2023 at 9:25:59 AM UTC+5:30 yh zhou wrote: >> >>> I'm also looking for the same information. It would be of great help if >>> anything effective replied. Thanks. >>> >>> -zhouyh >>> 在2023年10月11日星期三 UTC+8 15:14:58<Mikko Rantanen> 写道: >>> >>>> Hey! >>>> >>>> We have tried to find some sort of official clarification on >>>> whether/how gRPC is affected by CVE-2023-44487. Is there more information >>>> on this somewhere? >>>> >>>> The closest related thing we could find were recent changes to >>>> concurrent streams and RST_STREAM: >>>> https://github.com/grpc/grpc/commit/6a49e953a4df6ea8aa4378de575b0a7a59421f30, >>>> >>>> but even that doesn't reference CVE-2023-44487 in any way, so not sure if >>>> that is relevant here. >>>> >>>> - Mikko >>>> >>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/96e08ae4-ba70-400b-8b92-5dd5ed15bdfan%40googlegroups.com.
