When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
There exists an vulnerability causing an abort() to be called in gRPC.
The following headers cause gRPC's C++ implementation to abort() when called via http2:
te: x (x != trailers)
:scheme: x (x != http, https)
grpclb_client_stats: x (x == anything)
On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.
Release Notes
grpc/grpc (grpcio)
### [`v1.53.0`](https://togithub.com/grpc/grpc/releases/tag/v1.53.0)
[Compare Source](https://togithub.com/grpc/grpc/compare/v1.52.0...v1.53.0)
This is release 1.53.0 ([glockenspiel](https://togithub.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core.
For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases).
This release contains refinements, improvements, and bug fixes, with highlights listed below.
## Core
- xDS: fix crash when removing the last endpoint from the last locality in weighted_target. ([#32592](https://togithub.com/grpc/grpc/pull/32592))
- filter stack: pass peer name up via recv_initial_metadata batch. ([#31933](https://togithub.com/grpc/grpc/pull/31933))
- \[EventEngine] Add advice against blocking work in callbacks. ([#32397](https://togithub.com/grpc/grpc/pull/32397))
- \[http2] Dont drop connections on metadata limit exceeded. ([#32309](https://togithub.com/grpc/grpc/pull/32309))
- xDS: reject aggregate cluster with empty cluster list. ([#32238](https://togithub.com/grpc/grpc/pull/32238))
- Fix Python epoll1 Fork Support. ([#32196](https://togithub.com/grpc/grpc/pull/32196))
- server: introduce ServerMetricRecorder API and move per-call reporting from a C++ interceptor to a C-core filter. ([#32106](https://togithub.com/grpc/grpc/pull/32106))
- \[EventEngine] Add invalid handle types to the public API. ([#32202](https://togithub.com/grpc/grpc/pull/32202))
- \[EventEngine] Refactoring the EventEngine Test Suite: Part 1. ([#32127](https://togithub.com/grpc/grpc/pull/32127))
- xDS: fix WeightedClusters total weight handling. ([#32134](https://togithub.com/grpc/grpc/pull/32134))
## C++
- Update minimum MSVC version to 2019. ([#32615](https://togithub.com/grpc/grpc/pull/32615))
- Use CMake variables for paths in pkg-config files. ([#31671](https://togithub.com/grpc/grpc/pull/31671))
## C\#
- Grpc.Tools: Use x86 protoc binaries on arm64 Windows. ([#32017](https://togithub.com/grpc/grpc/pull/32017))
## Python
- Support python 3.11 on aarch64. ([#32270](https://togithub.com/grpc/grpc/pull/32270))
- Include .pyi file. ([#32268](https://togithub.com/grpc/grpc/pull/32268))
- De-experimentalize wait-for-ready. ([#32143](https://togithub.com/grpc/grpc/pull/32143))
- De-experimentalize compression. ([#32138](https://togithub.com/grpc/grpc/pull/32138))
## Ruby
- \[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6. ([#32089](https://togithub.com/grpc/grpc/pull/32089))
### [`v1.52.0`](https://togithub.com/grpc/grpc/releases/tag/v1.52.0)
[Compare Source](https://togithub.com/grpc/grpc/compare/v1.51.3...v1.52.0)
This is release 1.52.0 ([gribkoff](https://togithub.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core.
For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases).
This release contains refinements, improvements, and bug fixes, with highlights listed below.
## Core
- \[༺ EventEngine ༻] Specify requirements for Run\* immediate execution. ([#32028](https://togithub.com/grpc/grpc/pull/32028))
- Tracing: Add annotations for when call is removed from resolver result queue and lb pick queue. ([#31913](https://togithub.com/grpc/grpc/pull/31913))
- ring_hash LB: cap ring size to 4096 with channel arg to override. ([#31692](https://togithub.com/grpc/grpc/pull/31692))
## C++
- Cmake add separate export for plugin targets. ([#31525](https://togithub.com/grpc/grpc/pull/31525))
## C\#
- Add internal documentation for Grpc.Tools MSBuild integration. ([#31784](https://togithub.com/grpc/grpc/pull/31784))
## Python
- Change Aio abort() function return type to NoReturn. ([#31984](https://togithub.com/grpc/grpc/pull/31984))
- Change the annotated return type of `UnaryStreamCall` and `StreamStreamCall` from `AsyncIterable` to `AsyncIterator`. ([#31906](https://togithub.com/grpc/grpc/pull/31906))
- Build native MacOS arm64 artifacts (universal2). ([#31747](https://togithub.com/grpc/grpc/pull/31747))
- Respect CC variable in grpcio python build. ([#26480](https://togithub.com/grpc/grpc/pull/26480))
- Revert "Build with System OpenSSL on Mac OS arm64 ([#31096](https://togithub.com/grpc/grpc/issues/31096))". ([#31741](https://togithub.com/grpc/grpc/pull/31741))
## Ruby
- Backport "\[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6 [#32089](https://togithub.com/grpc/grpc/issues/32089)" to v1.52.x. ([#32157](https://togithub.com/grpc/grpc/pull/32157))
- remove some default allocators. ([#30434](https://togithub.com/grpc/grpc/pull/30434))
- Fix Ruby build errors in 3.2.0 on Apple M1. ([#31997](https://togithub.com/grpc/grpc/pull/31997))
- \[Ruby] build: make exported symbol files platform-specific. ([#31970](https://togithub.com/grpc/grpc/pull/31970))
### [`v1.51.3`](https://togithub.com/grpc/grpc/releases/tag/v1.51.3)
[Compare Source](https://togithub.com/grpc/grpc/compare/v1.51.1...v1.51.3)
This is release gRPC Core 1.51.3 (galaxy).
For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases).
This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.
## Python
- Backport of [#31747](https://togithub.com/grpc/grpc/issues/31747) to v1.51.x (Build native MacOS arm64 artifacts (universal2)) ([#32424](https://togithub.com/grpc/grpc/pull/32424))
### [`v1.51.1`](https://togithub.com/grpc/grpc/releases/tag/v1.51.1)
[Compare Source](https://togithub.com/grpc/grpc/compare/v1.51.0...v1.51.1)
This is release gRPC Core 1.51.1 (galaxy).
For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases).
This release contains refinements, improvements, and bug fixes.
## Python
- Revert "Build with System OpenSSL on Mac OS arm64 ([#31096](https://togithub.com/grpc/grpc/issues/31096))". ([#31739](https://togithub.com/grpc/grpc/pull/31739))
### [`v1.51.0`](https://togithub.com/grpc/grpc/releases/tag/v1.51.0)
[Compare Source](https://togithub.com/grpc/grpc/compare/v1.50.0...v1.51.0)
This is release gRPC Core 1.51.0 (galaxy).
For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases).
This release contains refinements, improvements, and bug fixes.
## Core
- Bump core version [`2022110`](https://togithub.com/grpc/grpc/commit/202211082118). ([#31585](https://togithub.com/grpc/grpc/pull/31585))
- c-ares DNS resolver: fix logical race between resolution timeout/cancellation and fd readability. ([#31443](https://togithub.com/grpc/grpc/pull/31443))
- \[log] Longer space for filenames. ([#31432](https://togithub.com/grpc/grpc/pull/31432))
- c-ares DNS resolver: remove unnecessary code in SRV callback. ([#31426](https://togithub.com/grpc/grpc/pull/31426))
- Correct the domain-socket client address read out from the ServerContext. ([#31108](https://togithub.com/grpc/grpc/pull/31108))
- outlier detection: remove env var protection. ([#31251](https://togithub.com/grpc/grpc/pull/31251))
- EventEngineFactoryReset - remove custom factory and reset default engine. ([#30554](https://togithub.com/grpc/grpc/pull/30554))
- \[tls] Remove support for pthread tls. ([#31040](https://togithub.com/grpc/grpc/pull/31040))
## C++
- Added version macros to gRPC C++. ([#31033](https://togithub.com/grpc/grpc/pull/31033))
- OpenCensus: Move measures, views and CensusContext to include file. ([#31341](https://togithub.com/grpc/grpc/pull/31341))
- GcpObservability: Add experimental public target. ([#31339](https://togithub.com/grpc/grpc/pull/31339))
## C\#
- Fix msbuild failing when '@' is present in path (2nd attempt). ([#31527](https://togithub.com/grpc/grpc/pull/31527))
- Revert "Fix msbuild failing when '@' is present in path". ([#31464](https://togithub.com/grpc/grpc/pull/31464))
- Fix msbuild failing when '@' is present in path. ([#31133](https://togithub.com/grpc/grpc/pull/31133))
## PHP
- fixing php 8.2 deprecations. ([#30997](https://togithub.com/grpc/grpc/pull/30997))
## Python
- Fix lack of cooldown between poll attempts. ([#31550](https://togithub.com/grpc/grpc/pull/31550))
- Build with System OpenSSL on Mac OS arm64. ([#31096](https://togithub.com/grpc/grpc/pull/31096))
- Remove enum and future. ([#31381](https://togithub.com/grpc/grpc/pull/31381))
- \[Remove Six] Remove dependency on six. ([#31340](https://togithub.com/grpc/grpc/pull/31340))
- Update xds-protos package to pull in protobuf 4.X. ([#31113](https://togithub.com/grpc/grpc/pull/31113))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
==1.50.0->==1.53.0GitHub Vulnerability Alerts
CVE-2023-32731
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
CVE-2023-1428
There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2:
te: x (x != trailers)
:scheme: x (x != http, https)
grpclb_client_stats: x (x == anything)
On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
CVE-2023-32732
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for
-binsuffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.Release Notes
grpc/grpc (grpcio)
### [`v1.53.0`](https://togithub.com/grpc/grpc/releases/tag/v1.53.0) [Compare Source](https://togithub.com/grpc/grpc/compare/v1.52.0...v1.53.0) This is release 1.53.0 ([glockenspiel](https://togithub.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core. For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes, with highlights listed below. ## Core - xDS: fix crash when removing the last endpoint from the last locality in weighted_target. ([#32592](https://togithub.com/grpc/grpc/pull/32592)) - filter stack: pass peer name up via recv_initial_metadata batch. ([#31933](https://togithub.com/grpc/grpc/pull/31933)) - \[EventEngine] Add advice against blocking work in callbacks. ([#32397](https://togithub.com/grpc/grpc/pull/32397)) - \[http2] Dont drop connections on metadata limit exceeded. ([#32309](https://togithub.com/grpc/grpc/pull/32309)) - xDS: reject aggregate cluster with empty cluster list. ([#32238](https://togithub.com/grpc/grpc/pull/32238)) - Fix Python epoll1 Fork Support. ([#32196](https://togithub.com/grpc/grpc/pull/32196)) - server: introduce ServerMetricRecorder API and move per-call reporting from a C++ interceptor to a C-core filter. ([#32106](https://togithub.com/grpc/grpc/pull/32106)) - \[EventEngine] Add invalid handle types to the public API. ([#32202](https://togithub.com/grpc/grpc/pull/32202)) - \[EventEngine] Refactoring the EventEngine Test Suite: Part 1. ([#32127](https://togithub.com/grpc/grpc/pull/32127)) - xDS: fix WeightedClusters total weight handling. ([#32134](https://togithub.com/grpc/grpc/pull/32134)) ## C++ - Update minimum MSVC version to 2019. ([#32615](https://togithub.com/grpc/grpc/pull/32615)) - Use CMake variables for paths in pkg-config files. ([#31671](https://togithub.com/grpc/grpc/pull/31671)) ## C\# - Grpc.Tools: Use x86 protoc binaries on arm64 Windows. ([#32017](https://togithub.com/grpc/grpc/pull/32017)) ## Python - Support python 3.11 on aarch64. ([#32270](https://togithub.com/grpc/grpc/pull/32270)) - Include .pyi file. ([#32268](https://togithub.com/grpc/grpc/pull/32268)) - De-experimentalize wait-for-ready. ([#32143](https://togithub.com/grpc/grpc/pull/32143)) - De-experimentalize compression. ([#32138](https://togithub.com/grpc/grpc/pull/32138)) ## Ruby - \[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6. ([#32089](https://togithub.com/grpc/grpc/pull/32089)) ### [`v1.52.0`](https://togithub.com/grpc/grpc/releases/tag/v1.52.0) [Compare Source](https://togithub.com/grpc/grpc/compare/v1.51.3...v1.52.0) This is release 1.52.0 ([gribkoff](https://togithub.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core. For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes, with highlights listed below. ## Core - \[༺ EventEngine ༻] Specify requirements for Run\* immediate execution. ([#32028](https://togithub.com/grpc/grpc/pull/32028)) - Tracing: Add annotations for when call is removed from resolver result queue and lb pick queue. ([#31913](https://togithub.com/grpc/grpc/pull/31913)) - ring_hash LB: cap ring size to 4096 with channel arg to override. ([#31692](https://togithub.com/grpc/grpc/pull/31692)) ## C++ - Cmake add separate export for plugin targets. ([#31525](https://togithub.com/grpc/grpc/pull/31525)) ## C\# - Add internal documentation for Grpc.Tools MSBuild integration. ([#31784](https://togithub.com/grpc/grpc/pull/31784)) ## Python - Change Aio abort() function return type to NoReturn. ([#31984](https://togithub.com/grpc/grpc/pull/31984)) - Change the annotated return type of `UnaryStreamCall` and `StreamStreamCall` from `AsyncIterable` to `AsyncIterator`. ([#31906](https://togithub.com/grpc/grpc/pull/31906)) - Build native MacOS arm64 artifacts (universal2). ([#31747](https://togithub.com/grpc/grpc/pull/31747)) - Respect CC variable in grpcio python build. ([#26480](https://togithub.com/grpc/grpc/pull/26480)) - Revert "Build with System OpenSSL on Mac OS arm64 ([#31096](https://togithub.com/grpc/grpc/issues/31096))". ([#31741](https://togithub.com/grpc/grpc/pull/31741)) ## Ruby - Backport "\[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6 [#32089](https://togithub.com/grpc/grpc/issues/32089)" to v1.52.x. ([#32157](https://togithub.com/grpc/grpc/pull/32157)) - remove some default allocators. ([#30434](https://togithub.com/grpc/grpc/pull/30434)) - Fix Ruby build errors in 3.2.0 on Apple M1. ([#31997](https://togithub.com/grpc/grpc/pull/31997)) - \[Ruby] build: make exported symbol files platform-specific. ([#31970](https://togithub.com/grpc/grpc/pull/31970)) ### [`v1.51.3`](https://togithub.com/grpc/grpc/releases/tag/v1.51.3) [Compare Source](https://togithub.com/grpc/grpc/compare/v1.51.1...v1.51.3) This is release gRPC Core 1.51.3 (galaxy). For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases). This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64. ## Python - Backport of [#31747](https://togithub.com/grpc/grpc/issues/31747) to v1.51.x (Build native MacOS arm64 artifacts (universal2)) ([#32424](https://togithub.com/grpc/grpc/pull/32424)) ### [`v1.51.1`](https://togithub.com/grpc/grpc/releases/tag/v1.51.1) [Compare Source](https://togithub.com/grpc/grpc/compare/v1.51.0...v1.51.1) This is release gRPC Core 1.51.1 (galaxy). For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes. ## Python - Revert "Build with System OpenSSL on Mac OS arm64 ([#31096](https://togithub.com/grpc/grpc/issues/31096))". ([#31739](https://togithub.com/grpc/grpc/pull/31739)) ### [`v1.51.0`](https://togithub.com/grpc/grpc/releases/tag/v1.51.0) [Compare Source](https://togithub.com/grpc/grpc/compare/v1.50.0...v1.51.0) This is release gRPC Core 1.51.0 (galaxy). For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://togithub.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes. ## Core - Bump core version [`2022110`](https://togithub.com/grpc/grpc/commit/202211082118). ([#31585](https://togithub.com/grpc/grpc/pull/31585)) - c-ares DNS resolver: fix logical race between resolution timeout/cancellation and fd readability. ([#31443](https://togithub.com/grpc/grpc/pull/31443)) - \[log] Longer space for filenames. ([#31432](https://togithub.com/grpc/grpc/pull/31432)) - c-ares DNS resolver: remove unnecessary code in SRV callback. ([#31426](https://togithub.com/grpc/grpc/pull/31426)) - Correct the domain-socket client address read out from the ServerContext. ([#31108](https://togithub.com/grpc/grpc/pull/31108)) - outlier detection: remove env var protection. ([#31251](https://togithub.com/grpc/grpc/pull/31251)) - EventEngineFactoryReset - remove custom factory and reset default engine. ([#30554](https://togithub.com/grpc/grpc/pull/30554)) - \[tls] Remove support for pthread tls. ([#31040](https://togithub.com/grpc/grpc/pull/31040)) ## C++ - Added version macros to gRPC C++. ([#31033](https://togithub.com/grpc/grpc/pull/31033)) - OpenCensus: Move measures, views and CensusContext to include file. ([#31341](https://togithub.com/grpc/grpc/pull/31341)) - GcpObservability: Add experimental public target. ([#31339](https://togithub.com/grpc/grpc/pull/31339)) ## C\# - Fix msbuild failing when '@' is present in path (2nd attempt). ([#31527](https://togithub.com/grpc/grpc/pull/31527)) - Revert "Fix msbuild failing when '@' is present in path". ([#31464](https://togithub.com/grpc/grpc/pull/31464)) - Fix msbuild failing when '@' is present in path. ([#31133](https://togithub.com/grpc/grpc/pull/31133)) ## PHP - fixing php 8.2 deprecations. ([#30997](https://togithub.com/grpc/grpc/pull/30997)) ## Python - Fix lack of cooldown between poll attempts. ([#31550](https://togithub.com/grpc/grpc/pull/31550)) - Build with System OpenSSL on Mac OS arm64. ([#31096](https://togithub.com/grpc/grpc/pull/31096)) - Remove enum and future. ([#31381](https://togithub.com/grpc/grpc/pull/31381)) - \[Remove Six] Remove dependency on six. ([#31340](https://togithub.com/grpc/grpc/pull/31340)) - Update xds-protos package to pull in protobuf 4.X. ([#31113](https://togithub.com/grpc/grpc/pull/31113))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.