When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
Release Notes
grpc/grpc-go (google.golang.org/grpc)
### [`v1.53.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.53.0): Release 1.53.0
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.3...v1.53.0)
### API Changes
- balancer: support injection of per-call metadata from LB policies ([#5853](https://togithub.com/grpc/grpc-go/issues/5853))
- resolver: remove deprecated field `resolver.Target.Endpoint` and replace with `resolver.Target.Endpoint()` ([#5852](https://togithub.com/grpc/grpc-go/issues/5852))
- Special Thanks: [@kylejb](https://togithub.com/kylejb)
### New Features
- xds/ringhash: introduce `GRPC_RING_HASH_CAP` environment variable to override the maximum ring size. ([#5884](https://togithub.com/grpc/grpc-go/issues/5884))
- rls: propagate headers received in RLS response to backends ([#5883](https://togithub.com/grpc/grpc-go/issues/5883))
### Bug Fixes
- transport: drain client transport when streamID approaches MaxStreamID ([#5889](https://togithub.com/grpc/grpc-go/issues/5889))
- server: after GracefulStop, ensure connections are closed when final RPC completes ([#5968](https://togithub.com/grpc/grpc-go/issues/5968))
- server: fix a few issues where grpc server uses RST_STREAM for non-HTTP/2 errors ([#5893](https://togithub.com/grpc/grpc-go/issues/5893))
- xdsclient: fix race which can happen when multiple load reporting calls are made at the same time. ([#5927](https://togithub.com/grpc/grpc-go/issues/5927))
- rls: fix a data race involving the LRU cache ([#5925](https://togithub.com/grpc/grpc-go/issues/5925))
- xds: fix panic involving double close of channel in xDS transport ([#5959](https://togithub.com/grpc/grpc-go/issues/5959))
- gcp/observability: update method name validation ([#5951](https://togithub.com/grpc/grpc-go/issues/5951))
### Documentation
- credentials/oauth: mark `NewOauthAccess` as deprecated ([#5882](https://togithub.com/grpc/grpc-go/issues/5882))
- Special Thanks: [@buzzsurfr](https://togithub.com/buzzsurfr)
### [`v1.52.3`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.3): Release 1.52.3
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.1...v1.52.3)
### Bug Fixes
- Fix user-agent version
### [`v1.52.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.1): Release 1.52.1
[Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.0...v1.52.1)
### Bug Fixes
- grpclb: rename grpclbstate package back to state ([#5963](https://togithub.com/grpc/grpc-go/issues/5963))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.52.0->v1.53.0GitHub Vulnerability Alerts
CVE-2023-32731
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309
Release Notes
grpc/grpc-go (google.golang.org/grpc)
### [`v1.53.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.53.0): Release 1.53.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.3...v1.53.0) ### API Changes - balancer: support injection of per-call metadata from LB policies ([#5853](https://togithub.com/grpc/grpc-go/issues/5853)) - resolver: remove deprecated field `resolver.Target.Endpoint` and replace with `resolver.Target.Endpoint()` ([#5852](https://togithub.com/grpc/grpc-go/issues/5852)) - Special Thanks: [@kylejb](https://togithub.com/kylejb) ### New Features - xds/ringhash: introduce `GRPC_RING_HASH_CAP` environment variable to override the maximum ring size. ([#5884](https://togithub.com/grpc/grpc-go/issues/5884)) - rls: propagate headers received in RLS response to backends ([#5883](https://togithub.com/grpc/grpc-go/issues/5883)) ### Bug Fixes - transport: drain client transport when streamID approaches MaxStreamID ([#5889](https://togithub.com/grpc/grpc-go/issues/5889)) - server: after GracefulStop, ensure connections are closed when final RPC completes ([#5968](https://togithub.com/grpc/grpc-go/issues/5968)) - server: fix a few issues where grpc server uses RST_STREAM for non-HTTP/2 errors ([#5893](https://togithub.com/grpc/grpc-go/issues/5893)) - xdsclient: fix race which can happen when multiple load reporting calls are made at the same time. ([#5927](https://togithub.com/grpc/grpc-go/issues/5927)) - rls: fix a data race involving the LRU cache ([#5925](https://togithub.com/grpc/grpc-go/issues/5925)) - xds: fix panic involving double close of channel in xDS transport ([#5959](https://togithub.com/grpc/grpc-go/issues/5959)) - gcp/observability: update method name validation ([#5951](https://togithub.com/grpc/grpc-go/issues/5951)) ### Documentation - credentials/oauth: mark `NewOauthAccess` as deprecated ([#5882](https://togithub.com/grpc/grpc-go/issues/5882)) - Special Thanks: [@buzzsurfr](https://togithub.com/buzzsurfr) ### [`v1.52.3`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.3): Release 1.52.3 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.1...v1.52.3) ### Bug Fixes - Fix user-agent version ### [`v1.52.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.1): Release 1.52.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.0...v1.52.1) ### Bug Fixes - grpclb: rename grpclbstate package back to state ([#5963](https://togithub.com/grpc/grpc-go/issues/5963))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.