Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency grpcio to v1.53.2 [SECURITY] #353

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 16, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
grpcio (source) ==1.47.0 -> ==1.53.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-32731

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

CVE-2023-1428

There exists an vulnerability causing an abort() to be called in gRPC. 
The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

CVE-2023-32732

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.

CVE-2023-33953

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

  • Unbounded memory buffering in the HPACK parser
  • Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

  • The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
  • HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
  • gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

Release Notes

grpc/grpc (grpcio)

v1.53.2

Compare Source

This is release gRPC Core 1.53.2 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

v1.53.1

Compare Source

This is release gRPC Core 1.53.1 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

v1.53.0

Compare Source

This is release 1.53.0 (glockenspiel) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • xDS: fix crash when removing the last endpoint from the last locality in weighted_target. (#​32592)
  • filter stack: pass peer name up via recv_initial_metadata batch. (#​31933)
  • [EventEngine] Add advice against blocking work in callbacks. (#​32397)
  • [http2] Dont drop connections on metadata limit exceeded. (#​32309)
  • xDS: reject aggregate cluster with empty cluster list. (#​32238)
  • Fix Python epoll1 Fork Support. (#​32196)
  • server: introduce ServerMetricRecorder API and move per-call reporting from a C++ interceptor to a C-core filter. (#​32106)
  • [EventEngine] Add invalid handle types to the public API. (#​32202)
  • [EventEngine] Refactoring the EventEngine Test Suite: Part 1. (#​32127)
  • xDS: fix WeightedClusters total weight handling. (#​32134)

C++

  • Update minimum MSVC version to 2019. (#​32615)
  • Use CMake variables for paths in pkg-config files. (#​31671)

C#

  • Grpc.Tools: Use x86 protoc binaries on arm64 Windows. (#​32017)

Python

Ruby

  • [ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6. (#​32089)

v1.52.0

Compare Source

This is release 1.52.0 (gribkoff) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • [༺ EventEngine ༻] Specify requirements for Run* immediate execution. (#​32028)
  • Tracing: Add annotations for when call is removed from resolver result queue and lb pick queue. (#​31913)
  • ring_hash LB: cap ring size to 4096 with channel arg to override. (#​31692)

C++

  • Cmake add separate export for plugin targets. (#​31525)

C#

  • Add internal documentation for Grpc.Tools MSBuild integration. (#​31784)

Python

  • Change Aio abort() function return type to NoReturn. (#​31984)
  • Change the annotated return type of UnaryStreamCall and StreamStreamCall from AsyncIterable to AsyncIterator. (#​31906)
  • Build native MacOS arm64 artifacts (universal2). (#​31747)
  • Respect CC variable in grpcio python build. (#​26480)
  • Revert "Build with System OpenSSL on Mac OS arm64 (#​31096)". (#​31741)

Ruby

  • Backport "[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6 #​32089" to v1.52.x. (#​32157)
  • remove some default allocators. (#​30434)
  • Fix Ruby build errors in 3.2.0 on Apple M1. (#​31997)
  • [Ruby] build: make exported symbol files platform-specific. (#​31970)

v1.51.3

Compare Source

This is release gRPC Core 1.51.3 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.

Python

  • Backport of #​31747 to v1.51.x (Build native MacOS arm64 artifacts (universal2)) (#​32424)

v1.51.1

Compare Source

This is release gRPC Core 1.51.1 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Python

v1.51.0

Compare Source

This is release gRPC Core 1.51.0 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

  • Bump core version 2022110. (#​31585)
  • c-ares DNS resolver: fix logical race between resolution timeout/cancellation and fd readability. (#​31443)
  • [log] Longer space for filenames. (#​31432)
  • c-ares DNS resolver: remove unnecessary code in SRV callback. (#​31426)
  • Correct the domain-socket client address read out from the ServerContext. (#​31108)
  • outlier detection: remove env var protection. (#​31251)
  • EventEngineFactoryReset - remove custom factory and reset default engine. (#​30554)
  • [tls] Remove support for pthread tls. (#​31040)

C++

  • Added version macros to gRPC C++. (#​31033)
  • OpenCensus: Move measures, views and CensusContext to include file. (#​31341)
  • GcpObservability: Add experimental public target. (#​31339)

C#

  • Fix msbuild failing when '@​' is present in path (2nd attempt). (#​31527)
  • Revert "Fix msbuild failing when '@​' is present in path". (#​31464)
  • Fix msbuild failing when '@​' is present in path. (#​31133)

PHP

Python

  • Fix lack of cooldown between poll attempts. (#​31550)
  • Build with System OpenSSL on Mac OS arm64. (#​31096)
  • Remove enum and future. (#​31381)
  • [Remove Six] Remove dependency on six. (#​31340)
  • Update xds-protos package to pull in protobuf 4.X. (#​31113)

v1.50.0

Compare Source

This is release gRPC Core 1.50.0 (galley).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • Derive EventEngine from std::enable_shared_from_this. (#​31060)
  • Revert "Revert "[chttp2] fix stream leak with queued flow control update and absence of writes (#​30907)" (#​30991)". (#​30992)
  • [chttp2] fix stream leak with queued flow control update and absence of writes. (#​30907)
  • Remove gpr_codegen. (#​30899)
  • client_channel: allow LB policy to communicate update errors to resolver. (#​30809)
  • FaultInjection: Fix random number generation. (#​30623)

C++

  • OpenCensus Plugin: Add measure and views for started RPCs. (#​31034)

C#

Python

Ruby

v1.49.1

Compare Source

This is release 1.49.1 (gamma) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

  • Update protobuf to v21.6 on 1.49.x. (#​31028)

Ruby

v1.49.0

Compare Source

This is release 1.49.0 (gamma) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • Backport: "stabilize the C2P resolver URI scheme" to v1.49.x. (#​30654)
  • Bump core version. (#​30588)
  • Update OpenCensus to HEAD. (#​30567)
  • Update protobuf submodule to 3.21.5. (#​30548)
  • Update third_party/protobuf to 3.21.4. (#​30377)
  • [core] Remove GRPC_INITIAL_METADATA_CORKED flag. (#​30443)
  • HTTP2: Fix keepalive time throttling. (#​30164)
  • Use AnyInvocable in EventEngine APIs. (#​30220)

Python

Ruby

v1.48.2

Compare Source

This is release 1.48.2 (garum) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

  • Update protobuf to v3.19.5 on v1.48.x. (#​31029)

v1.48.1

Compare Source

This is release 1.48.1 (garum) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • Backport EventEngine Forkables. (#​30605)

v1.48.0

Compare Source

This is release 1.48.0 (garum) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • Upgrade Abseil to LTS 2022062.0 . (#​30155)
  • Call: Send cancel op down the stack even when no ops are sent. (#​30004)
  • FreeBSD system roots implementation. (#​29436)
  • xDS: Workaround to get gRPC clients working with istio. (#​29841)

Python

  • Set Correct Platform Tag in Wheels on Mac OS with Python 3.10. (#​29857)
  • [Aio] Ensure Core channel closes when deallocated. (#​29797)
  • [Aio] Fix the wait_for_termination return value. (#​29795)

Ruby

  • Make the gem build on TruffleRuby. (#​27660)
  • Support for prebuilt Ruby binary on x64-mingw-ucrt platform. (#​29684)
  • [Ruby] Add ruby_abi_version to exported symbols. (#​28976)

Objective-C

First developer preview of XCFramework binary distribution via Cocoapod (#​28749).

This brings in significant speed up to local compile time and includes support for Apple Silicon build.

  • The following binary pods are made available for ObjC V1 & V2 API
    • gRPC-XCFramework (source pod gRPC)
    • gRPC-ProtoRPC-XCFramework (source pod gRPC-ProtoRPC)
  • The following platforms and architectures are included
    • ios: armv7, arm64 for device. arm64, i386, x86_64 for simulator
    • macos: x86_64 (Intel), arm64 (Apple Silicon)

v1.47.5

Compare Source

This is release 1.47.5 (gridman) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.

Python

  • Backport of #​31747 to v1.47.x (Build native MacOS arm64 artifacts (universal2)) (#​32446)

v1.47.2

Compare Source

This is release 1.47.2 (gridman) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

  • Update protobuf to v3.19.5 on v1.47.x. (#​31031)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency grpcio to v1.53.2 [SECURITY] Update dependency grpcio to v1.53.2 [SECURITY] - autoclosed Jan 9, 2025
@renovate renovate bot closed this Jan 9, 2025
@renovate renovate bot deleted the renovate/pypi-grpcio-vulnerability branch January 9, 2025 22:33
@renovate renovate bot changed the title Update dependency grpcio to v1.53.2 [SECURITY] - autoclosed Update dependency grpcio to v1.53.2 [SECURITY] Jan 14, 2025
@renovate renovate bot reopened this Jan 14, 2025
@renovate renovate bot force-pushed the renovate/pypi-grpcio-vulnerability branch from 7ec123b to f08fb72 Compare January 14, 2025 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants