CVE-2023-44487 HTTP/2 rapid reset

[tecnobrat]

There is a HTTP/2 vulnerability CVE-2023-44487

Golang has this issue which they are tracking fixes: https://github.com/golang/go/issues/63417

I did a scan with snyk which returns:

✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: google.golang.org/grpc@1.50.1, github.com/mwitkow/grpc-proxy/proxy@#0f1106ef9c76, github.com/osrg/gobgp/v3/api@3.8.0, github.com/osrg/gobgp/v3/pkg/server@3.8.0, github.com/osrg/gobgp/v3/pkg/config@3.8.0
  From: google.golang.org/grpc@1.50.1
  From: github.com/mwitkow/grpc-proxy/proxy@#0f1106ef9c76 > google.golang.org/grpc@1.50.1
  From: github.com/osrg/gobgp/v3/api@3.8.0 > google.golang.org/grpc@1.50.1
  and 4 more...
  Fixed in: 1.56.3, 1.57.1, 1.58.3

[tristanmorgan]

Could @dependabot help here?