Open dependabot[bot] opened 12 months ago
Can one of the admins verify this patch?
@yogev-lb @rahman-lb info says this mitigates a "high" CVE. Thoughts?
@sagi-lb :
info says this mitigates a "high" CVE. Thoughts?
yeah, well, it might be "high" if someone actually set MaxConcurrentStreams
and then the gRPC library didn't enforce it. we never did set MaxConcurrentStreams
so, AFAICT, this particular doesn't affect our code.
it is debatable whether we should be explicitly setting MaxConcurrentStreams
to begin with and if so - what the value should be, given that our gRPC server doesn't accept 3rd party internet traffic - doesn't accept any TCP traffic at all, for that matter, and not from anything other than a neighbouring trusted sidecar process or kubectl
(or something with equally root
access on the host).
OK, so we can leave it alone for now. Thanks.
On Thu, 26 Oct 2023 at 10:58, solo @.***> wrote:
@sagi-lb https://github.com/sagi-lb :
info says this mitigates a "high" CVE. Thoughts?
yeah, well, it might be "high" if someone actually set MaxConcurrentStreams and then the gRPC library didn't enforce it. we never did set MaxConcurrentStreams so, AFAICT, this particular doesn't affect our code.
it is debatable whether we should be explicitly setting MaxConcurrentStreams to begin with and if so - what the value should be, given that our gRPC server doesn't accept 3rd party internet traffic - doesn't accept any TCP traffic at all, for that matter, and not from anything other than a neighbouring trusted sidecar process or kubectl (or something with equally root access on the host).
— Reply to this email directly, view it on GitHub https://github.com/LightBitsLabs/los-csi/pull/25#issuecomment-1780604939, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEHHMIQLBORT5BRJMA4GKCTYBIJ3PAVCNFSM6AAAAAA6QCCVNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBQGYYDIOJTHE . You are receiving this because you were mentioned.Message ID: @.***>
--
*Lightbits Labs* Lead the cloud-native data center transformation by delivering scalable and efficient software defined storage that is easy to consume.
This message is sent in confidence for the addressee only. It may contain legally privileged information. The contents are not to be disclosed to anyone other than the addressee. Unauthorized recipients are requested to preserve this confidentiality, advise the sender immediately of any error in transmission and delete the email from their systems.
Bumps google.golang.org/grpc from 1.38.0 to 1.56.3.
Release notes
Sourced from google.golang.org/grpc's releases.
... (truncated)
Commits
1055b48
Update version.go to 1.56.3 (#6713)5efd7bd
server: prohibit more than MaxConcurrentStreams handlers from running at once...bd1f038
Upgrade version.go to 1.56.3-dev (#6434)faab873
Update version.go to v1.56.2 (#6432)6b0b291
status: fix panic when servers return a wrapped error with status OK (#6374) ...ed56401
[PSM interop] Don't fail target if sub-target already failed (#6390) (#6405)cd6a794
Update version.go to v1.56.2-dev (#6387)5b67e5e
Update version.go to v1.56.1 (#6386)d0f5150
client: handle empty address lists correctly in addrConn.updateAddrs (#6354) ...997c1ea
Change version to 1.56.1-dev (#6345)You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show