When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
Release Notes
grpc/grpc-go
### [`v1.53.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.53.0): Release 1.53.0
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.3...v1.53.0)
### API Changes
- balancer: support injection of per-call metadata from LB policies ([#5853](https://togithub.com/grpc/grpc-go/issues/5853))
- resolver: remove deprecated field `resolver.Target.Endpoint` and replace with `resolver.Target.Endpoint()` ([#5852](https://togithub.com/grpc/grpc-go/issues/5852))
- Special Thanks: [@kylejb](https://togithub.com/kylejb)
### New Features
- xds/ringhash: introduce `GRPC_RING_HASH_CAP` environment variable to override the maximum ring size. ([#5884](https://togithub.com/grpc/grpc-go/issues/5884))
- rls: propagate headers received in RLS response to backends ([#5883](https://togithub.com/grpc/grpc-go/issues/5883))
### Bug Fixes
- transport: drain client transport when streamID approaches MaxStreamID ([#5889](https://togithub.com/grpc/grpc-go/issues/5889))
- server: after GracefulStop, ensure connections are closed when final RPC completes ([#5968](https://togithub.com/grpc/grpc-go/issues/5968))
- server: fix a few issues where grpc server uses RST_STREAM for non-HTTP/2 errors ([#5893](https://togithub.com/grpc/grpc-go/issues/5893))
- xdsclient: fix race which can happen when multiple load reporting calls are made at the same time. ([#5927](https://togithub.com/grpc/grpc-go/issues/5927))
- rls: fix a data race involving the LRU cache ([#5925](https://togithub.com/grpc/grpc-go/issues/5925))
- xds: fix panic involving double close of channel in xDS transport ([#5959](https://togithub.com/grpc/grpc-go/issues/5959))
- gcp/observability: update method name validation ([#5951](https://togithub.com/grpc/grpc-go/issues/5951))
### Documentation
- credentials/oauth: mark `NewOauthAccess` as deprecated ([#5882](https://togithub.com/grpc/grpc-go/issues/5882))
- Special Thanks: [@buzzsurfr](https://togithub.com/buzzsurfr)
### [`v1.52.3`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.3): Release 1.52.3
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.1...v1.52.3)
### Bug Fixes
- Fix user-agent version
### [`v1.52.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.1): Release 1.52.1
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.0...v1.52.1)
### Bug Fixes
- grpclb: rename grpclbstate package back to state ([#5963](https://togithub.com/grpc/grpc-go/issues/5963))
### [`v1.52.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.0): Release 1.52.0
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.51.0...v1.52.0)
### New Features
- xdsclient: log node ID with verbosity INFO ([#5860](https://togithub.com/grpc/grpc-go/issues/5860))
- ringhash: impose cap on `max_ring_size` to reduce possibility of OOMs ([#5801](https://togithub.com/grpc/grpc-go/issues/5801))
### Behavior Changes
- client: return an error from `Dial` if an empty target is passed and no custom dialer is present; the ClientConn would otherwise be unable to connect and perform RPCs ([#5732](https://togithub.com/grpc/grpc-go/issues/5732))
- Special Thanks: [@huangchong94](https://togithub.com/huangchong94)
### Bug Fixes
- transport (net/http server handler): respond to bad HTTP requests with status 400 (Bad Request) instead of 500 (Internal Server Error). ([#5804](https://togithub.com/grpc/grpc-go/issues/5804))
- Special Thanks: [@sjbarag](https://togithub.com/sjbarag)
- transport: Fixed closing a closed channel panic in handlePing ([#5854](https://togithub.com/grpc/grpc-go/issues/5854))
- server: fix ChainUnaryInterceptor and ChainStreamInterceptor to allow retrying handlers ([#5666](https://togithub.com/grpc/grpc-go/issues/5666))
- Special Thanks: [@yiminc](https://togithub.com/yiminc)
- transport: ensure value of `:authority` header matches server name used in TLS handshake when the latter is overridden by the name resolver ([#5748](https://togithub.com/grpc/grpc-go/issues/5748))
- Special Thanks: [@holdno](https://togithub.com/holdno)
### Documentation
- examples: add an example to illustrate the usage of stats handler ([#5657](https://togithub.com/grpc/grpc-go/issues/5657))
- Special Thanks: [@Yash-Handa](https://togithub.com/Yash-Handa)
- examples: add new example to show updating metadata in interceptors ([#5788](https://togithub.com/grpc/grpc-go/issues/5788))
- Special Thanks: [@richzw](https://togithub.com/richzw)
### [`v1.51.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.51.0): Release 1.51.0
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.50.1...v1.51.0)
### Behavior Changes
- xds: NACK EDS resources with duplicate addresses in accordance with a recent spec change ([#5715](https://togithub.com/grpc/grpc-go/issues/5715))
- Special Thanks: [@erni27](https://togithub.com/erni27)
- grpc: restrict status codes that can be generated by the control plane (gRFC A54) ([#5653](https://togithub.com/grpc/grpc-go/issues/5653))
### New Features
- client: set grpc-accept-encoding header with all registered compressors ([#5541](https://togithub.com/grpc/grpc-go/issues/5541))
- Special Thanks: [@jronak](https://togithub.com/jronak)
- xds/weightedtarget: return a more meaningful error when all child policies are in `TRANSIENT_FAILURE` ([#5711](https://togithub.com/grpc/grpc-go/issues/5711))
- gcp/observability: add "started rpcs" metric ([#5768](https://togithub.com/grpc/grpc-go/issues/5768))
- xds: de-experimentalize the google-c2p-resolver ([#5707](https://togithub.com/grpc/grpc-go/issues/5707))
- balancer: add experimental Producer types and methods ([#5669](https://togithub.com/grpc/grpc-go/issues/5669))
- orca: provide a way for LB policies to receive OOB load reports ([#5669](https://togithub.com/grpc/grpc-go/issues/5669))
### Bug Fixes
- go.mod: upgrade x/text dependency to address [CVE 2022-32149](https://www.cve.org/CVERecord?id=CVE-2022-32149) ([#5769](https://togithub.com/grpc/grpc-go/issues/5769))
- client: fix race that could lead to an incorrect connection state if it was closed immediately after the server's HTTP/2 preface was received ([#5714](https://togithub.com/grpc/grpc-go/issues/5714))
- Special Thanks: [@fuweid](https://togithub.com/fuweid)
- xds: ensure sum of the weights of all EDS localities at the same priority level does not exceed uint32 max ([#5703](https://togithub.com/grpc/grpc-go/issues/5703))
- Special Thanks: [@erni27](https://togithub.com/erni27)
- client: fix binary logging bug which logs a server header on a trailers-only response ([#5763](https://togithub.com/grpc/grpc-go/issues/5763))
- balancer/priority: fix a bug where unreleased references to removed child policies (and associated state) was causing a memory leak ([#5682](https://togithub.com/grpc/grpc-go/issues/5682))
- xds/google-c2p: validate URI schema for no authorities ([#5756](https://togithub.com/grpc/grpc-go/issues/5756))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
v1.50.1
->v1.53.0
GitHub Vulnerability Alerts
CVE-2023-32731
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
Release Notes
grpc/grpc-go
### [`v1.53.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.53.0): Release 1.53.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.3...v1.53.0) ### API Changes - balancer: support injection of per-call metadata from LB policies ([#5853](https://togithub.com/grpc/grpc-go/issues/5853)) - resolver: remove deprecated field `resolver.Target.Endpoint` and replace with `resolver.Target.Endpoint()` ([#5852](https://togithub.com/grpc/grpc-go/issues/5852)) - Special Thanks: [@kylejb](https://togithub.com/kylejb) ### New Features - xds/ringhash: introduce `GRPC_RING_HASH_CAP` environment variable to override the maximum ring size. ([#5884](https://togithub.com/grpc/grpc-go/issues/5884)) - rls: propagate headers received in RLS response to backends ([#5883](https://togithub.com/grpc/grpc-go/issues/5883)) ### Bug Fixes - transport: drain client transport when streamID approaches MaxStreamID ([#5889](https://togithub.com/grpc/grpc-go/issues/5889)) - server: after GracefulStop, ensure connections are closed when final RPC completes ([#5968](https://togithub.com/grpc/grpc-go/issues/5968)) - server: fix a few issues where grpc server uses RST_STREAM for non-HTTP/2 errors ([#5893](https://togithub.com/grpc/grpc-go/issues/5893)) - xdsclient: fix race which can happen when multiple load reporting calls are made at the same time. ([#5927](https://togithub.com/grpc/grpc-go/issues/5927)) - rls: fix a data race involving the LRU cache ([#5925](https://togithub.com/grpc/grpc-go/issues/5925)) - xds: fix panic involving double close of channel in xDS transport ([#5959](https://togithub.com/grpc/grpc-go/issues/5959)) - gcp/observability: update method name validation ([#5951](https://togithub.com/grpc/grpc-go/issues/5951)) ### Documentation - credentials/oauth: mark `NewOauthAccess` as deprecated ([#5882](https://togithub.com/grpc/grpc-go/issues/5882)) - Special Thanks: [@buzzsurfr](https://togithub.com/buzzsurfr) ### [`v1.52.3`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.3): Release 1.52.3 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.1...v1.52.3) ### Bug Fixes - Fix user-agent version ### [`v1.52.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.1): Release 1.52.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.0...v1.52.1) ### Bug Fixes - grpclb: rename grpclbstate package back to state ([#5963](https://togithub.com/grpc/grpc-go/issues/5963)) ### [`v1.52.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.0): Release 1.52.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.51.0...v1.52.0) ### New Features - xdsclient: log node ID with verbosity INFO ([#5860](https://togithub.com/grpc/grpc-go/issues/5860)) - ringhash: impose cap on `max_ring_size` to reduce possibility of OOMs ([#5801](https://togithub.com/grpc/grpc-go/issues/5801)) ### Behavior Changes - client: return an error from `Dial` if an empty target is passed and no custom dialer is present; the ClientConn would otherwise be unable to connect and perform RPCs ([#5732](https://togithub.com/grpc/grpc-go/issues/5732)) - Special Thanks: [@huangchong94](https://togithub.com/huangchong94) ### Bug Fixes - transport (net/http server handler): respond to bad HTTP requests with status 400 (Bad Request) instead of 500 (Internal Server Error). ([#5804](https://togithub.com/grpc/grpc-go/issues/5804)) - Special Thanks: [@sjbarag](https://togithub.com/sjbarag) - transport: Fixed closing a closed channel panic in handlePing ([#5854](https://togithub.com/grpc/grpc-go/issues/5854)) - server: fix ChainUnaryInterceptor and ChainStreamInterceptor to allow retrying handlers ([#5666](https://togithub.com/grpc/grpc-go/issues/5666)) - Special Thanks: [@yiminc](https://togithub.com/yiminc) - transport: ensure value of `:authority` header matches server name used in TLS handshake when the latter is overridden by the name resolver ([#5748](https://togithub.com/grpc/grpc-go/issues/5748)) - Special Thanks: [@holdno](https://togithub.com/holdno) ### Documentation - examples: add an example to illustrate the usage of stats handler ([#5657](https://togithub.com/grpc/grpc-go/issues/5657)) - Special Thanks: [@Yash-Handa](https://togithub.com/Yash-Handa) - examples: add new example to show updating metadata in interceptors ([#5788](https://togithub.com/grpc/grpc-go/issues/5788)) - Special Thanks: [@richzw](https://togithub.com/richzw) ### [`v1.51.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.51.0): Release 1.51.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.50.1...v1.51.0) ### Behavior Changes - xds: NACK EDS resources with duplicate addresses in accordance with a recent spec change ([#5715](https://togithub.com/grpc/grpc-go/issues/5715)) - Special Thanks: [@erni27](https://togithub.com/erni27) - grpc: restrict status codes that can be generated by the control plane (gRFC A54) ([#5653](https://togithub.com/grpc/grpc-go/issues/5653)) ### New Features - client: set grpc-accept-encoding header with all registered compressors ([#5541](https://togithub.com/grpc/grpc-go/issues/5541)) - Special Thanks: [@jronak](https://togithub.com/jronak) - xds/weightedtarget: return a more meaningful error when all child policies are in `TRANSIENT_FAILURE` ([#5711](https://togithub.com/grpc/grpc-go/issues/5711)) - gcp/observability: add "started rpcs" metric ([#5768](https://togithub.com/grpc/grpc-go/issues/5768)) - xds: de-experimentalize the google-c2p-resolver ([#5707](https://togithub.com/grpc/grpc-go/issues/5707)) - balancer: add experimental Producer types and methods ([#5669](https://togithub.com/grpc/grpc-go/issues/5669)) - orca: provide a way for LB policies to receive OOB load reports ([#5669](https://togithub.com/grpc/grpc-go/issues/5669)) ### Bug Fixes - go.mod: upgrade x/text dependency to address [CVE 2022-32149](https://www.cve.org/CVERecord?id=CVE-2022-32149) ([#5769](https://togithub.com/grpc/grpc-go/issues/5769)) - client: fix race that could lead to an incorrect connection state if it was closed immediately after the server's HTTP/2 preface was received ([#5714](https://togithub.com/grpc/grpc-go/issues/5714)) - Special Thanks: [@fuweid](https://togithub.com/fuweid) - xds: ensure sum of the weights of all EDS localities at the same priority level does not exceed uint32 max ([#5703](https://togithub.com/grpc/grpc-go/issues/5703)) - Special Thanks: [@erni27](https://togithub.com/erni27) - client: fix binary logging bug which logs a server header on a trailers-only response ([#5763](https://togithub.com/grpc/grpc-go/issues/5763)) - balancer/priority: fix a bug where unreleased references to removed child policies (and associated state) was causing a memory leak ([#5682](https://togithub.com/grpc/grpc-go/issues/5682)) - xds/google-c2p: validate URI schema for no authorities ([#5756](https://togithub.com/grpc/grpc-go/issues/5756))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.