search

hashicorp / packer-plugin-vsphere

Packer plugin for VMware vSphere Builder
https://www.packer.io/docs/builders/vsphere
Mozilla Public License 2.0
94 stars 91 forks source link

chore(deps): google.golang.org/grpc #320

Closed tenthirtyam closed 10 months ago

tenthirtyam commented 10 months ago

Summary

Address the following CVE:

CVE-2023-44487

swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

Changes

➜ go get -u google.golang.org/grpc             
go: downloading golang.org/x/net v0.14.0
go: downloading golang.org/x/sys v0.11.0
go: downloading golang.org/x/text v0.12.0
go: upgraded cloud.google.com/go v0.105.0 => v0.110.9
go: upgraded cloud.google.com/go/compute v1.12.1 => v1.23.2
go: upgraded cloud.google.com/go/compute/metadata v0.1.1 => v0.2.3
go: upgraded cloud.google.com/go/iam v0.6.0 => v1.1.4
go: upgraded cloud.google.com/go/storage v1.27.0 => v1.30.1
go: upgraded github.com/cespare/xxhash/v2 v2.1.2 => v2.2.0
go: upgraded github.com/golang/protobuf v1.5.2 => v1.5.3
go: upgraded github.com/google/uuid v1.3.0 => v1.3.1
go: upgraded github.com/googleapis/enterprise-certificate-proxy v0.2.0 => v0.2.4
go: upgraded github.com/googleapis/gax-go/v2 v2.6.0 => v2.12.0
go: upgraded go.opencensus.io v0.23.0 => v0.24.0
go: upgraded golang.org/x/crypto v0.1.0 => v0.15.0
go: upgraded golang.org/x/net v0.8.0 => v0.18.0
go: upgraded golang.org/x/oauth2 v0.1.0 => v0.11.0
go: upgraded golang.org/x/sys v0.6.0 => v0.14.0
go: upgraded golang.org/x/term v0.6.0 => v0.14.0
go: upgraded golang.org/x/text v0.8.0 => v0.14.0
go: upgraded google.golang.org/api v0.101.0 => v0.128.0
go: upgraded google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c => v0.0.0-20231030173426-d783a09b4405
go: added google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17
go: upgraded google.golang.org/grpc v1.50.1 => v1.59.0
go: upgraded google.golang.org/protobuf v1.28.1 => v1.31.0

Reference

Closes https://github.com/hashicorp/packer-plugin-vsphere/security/dependabot/20 Closes https://github.com/hashicorp/packer-plugin-vsphere/security/dependabot/21