Closed del1g0r closed 7 months ago
This needs to vendor grpc >= 1.60
This needs to vendor grpc >= 1.60
Thank you for your reply! Is there any plan to release the 1.60 version?
There is another reason to upgrade, which is a potential memory leak fixed in grpc v1.59: https://github.com/grpc/grpc-java/pull/10540. This has been reported as an issue when accessing Bigtable from Beam.
Also, grpc-alts has been added to the build: #29763 and needs a new vendor release.
The issue with not adding grpc-alts in vendor is that it depends on the same things that grpc does,
and we run into conflicts in the types.
for example, the grpc stubs take a channel. grpc-alts allows us to create an alts secured channel
which we need for direct path
What happened?
The beam-vendor-grpc-1_54_0 shades a vulnerable Netty version 4.1.87.Final It brings CVE-2023-44487 Base Score: 7.5 High JFrog Xray recommends updating it at least to version 4.1.100.Final Could you please fix this vulnerability in the shaded jar and also let us know when you are planning to release this?
https://github.com/apache/beam/blob/master/buildSrc/src/main/groovy/org/apache/beam/gradle/GrpcVendoring_1_54_0.groovy#L46
Issue Priority
Priority: 2 (default / most bugs should be filed as P2)
Issue Components