dragonsinth
commented
7 months ago But grpcurl doesn't act as an http server? So how are we actually vulnerable?
Closed RohanNagar closed 4 months ago
dragonsinth
commented
7 months ago But grpcurl doesn't act as an http server? So how are we actually vulnerable?
dragonsinth
commented
7 months ago In other words, I don't see any urgency on this. Dependabot will eventually push an update.
RohanNagar
commented
7 months ago Agreed that the vulnerability shouldn't actually affect grpcurl. Unfortunately, security scanners are flagging this for us so we are looking to have the package upgraded.
enakshipriya
commented
4 months ago +1
cheslz
commented
4 months ago +1 . Please :)
dragonsinth
commented
4 months ago This was already fixed here: https://github.com/fullstorydev/grpcurl/pull/427
RohanNagar
commented
4 months ago @dragonsinth any idea when the next release will be?
dragonsinth
commented
4 months ago IDK, I guess we could do one soon. I figure anyone who super-cares can build from code using the latest Go, to also pull in any hypothetical Golang fixes.
Recently a CVE was discovered which affects the current version of grpc used by this tool.
https://github.com/advisories/GHSA-m425-mq94-257g
Please update
google.golang.org/grpcto1.58.3or higher.