google.golang.org/grpc - compliance vulnerability found in mc:RELEASE.2023-10-24T21-42-22Z

[Skyapip]

On scanning the mc:RELEASE.2023-10-24T21-42-22Z docker image, found the below vulnerability in it.

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Type | Severity | CVSS | CVE | Package Name | Package Version | Fix Status | Grace Period -- | -- | -- | -- | -- | -- | -- | -- Compliance | High |   | GHSA-m425-mq94-257g | google.golang.org/grpc | v1.58.0 | fixed in: 1.58.3, 1.57.1, 1.56.3 | 12 days left | 12 days left

Full description: ### Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. ### Patches This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0. Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server\'s resources used for any single connection. ### Workarounds None. ### References #6703

Can we fix this as soon as possible?

[klauspost]

https://github.com/minio/mc/pull/4731