Closed RohanNagar closed 4 months ago
But grpcurl doesn't act as an http server? So how are we actually vulnerable?
In other words, I don't see any urgency on this. Dependabot will eventually push an update.
Agreed that the vulnerability shouldn't actually affect grpcurl. Unfortunately, security scanners are flagging this for us so we are looking to have the package upgraded.
+1
+1 . Please :)
This was already fixed here: https://github.com/fullstorydev/grpcurl/pull/427
@dragonsinth any idea when the next release will be?
IDK, I guess we could do one soon. I figure anyone who super-cares can build from code using the latest Go, to also pull in any hypothetical Golang fixes.
Recently a CVE was discovered which affects the current version of grpc used by this tool.
https://github.com/advisories/GHSA-m425-mq94-257g
Please update
google.golang.org/grpc
to1.58.3
or higher.