search

grpc-ecosystem / grpc-health-probe

A command-line tool to perform health-checks for gRPC applications in Kubernetes and elsewhere
Apache License 2.0
1.44k stars 188 forks source link

CVE issue #167

Closed limbuster closed 1 year ago

limbuster commented 1 year ago

Can we make a new release to address the following CVE? The updated version of the affected package has already been merged to master branch.

Affected package: google.golang.org/grpc Vulnerability: GHSA-m425-mq94-257g | gRPC-Go HTTP/2 Rapid Reset vulnerability

kuljeetay commented 1 year ago

+1 Release Urgently Required.

stefanb commented 1 year ago

CVE-2023-44487 was already

It seems it just needs a release.

limbuster commented 1 year ago

@stefanb Yes, just needs a new release.

ns-yuhanl commented 1 year ago

@stefanb yes, we just need a new release with the updated google.golang.org/grpc

stefanb commented 1 year ago

@ahmetb, please review above and if you agree create a new release v0.4.22 at: https://github.com/grpc-ecosystem/grpc-health-probe/releases/new

ahmetb commented 1 year ago

I don't think this impacts grpc clients? This tool is not a grpc server either so I don't think it's applicable. It's quite laborious to keep releasing updates for issues not really impacting the tool.

ahmetb commented 1 year ago

Tagged v0.4.22.

stefanb commented 1 year ago

I don't think this impacts grpc clients? This tool is not a grpc server either so I don't think it's applicable. It's quite laborious to keep releasing updates for issues not really impacting the tool.

Indeed. But people are getting warnings (false positive in this case) from various tools and want to silence them.