Skip to content

chore(deps): google.golang.org/grpc#159

Merged
nywilken merged 1 commit intomainfrom
chore(deps)/google.golang.org-grpc
Nov 13, 2023
Merged

chore(deps): google.golang.org/grpc#159
nywilken merged 1 commit intomainfrom
chore(deps)/google.golang.org-grpc

Conversation

@tenthirtyam
Copy link
Copy Markdown
Collaborator

@tenthirtyam tenthirtyam commented Nov 12, 2023

Summary

Address the following CVE:

CVE-2023-44487

swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress.

swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

Changes

➜ go get -u google.golang.org/grpc
go: downloading google.golang.org/grpc v1.59.0
go: downloading golang.org/x/net v0.14.0
go: downloading github.com/golang/protobuf v1.5.3
go: downloading golang.org/x/sys v0.11.0
go: downloading google.golang.org/protobuf v1.31.0
go: downloading google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d
go: downloading golang.org/x/text v0.12.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17
go: downloading google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17
go: downloading google.golang.org/genproto v0.0.0-20231030173426-d783a09b4405
go: downloading cloud.google.com/go v0.110.9
go: downloading cloud.google.com/go/compute v1.23.2
go: downloading cloud.google.com/go/iam v1.1.4
go: downloading cloud.google.com/go/storage v1.30.1
go: downloading github.com/google/uuid v1.3.1
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.2.4
go: downloading github.com/googleapis/gax-go/v2 v2.12.0
go: downloading github.com/stretchr/objx v0.5.0
go: downloading cloud.google.com/go/longrunning v0.5.3
go: downloading github.com/stretchr/testify v1.8.1
go: downloading cloud.google.com/go/compute/metadata v0.2.3
go: downloading github.com/google/martian/v3 v3.3.2
go: downloading go.opencensus.io v0.24.0
go: downloading golang.org/x/oauth2 v0.11.0
go: downloading golang.org/x/sync v0.3.0
go: downloading google.golang.org/api v0.128.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: upgraded cloud.google.com/go v0.105.0 => v0.110.9
go: upgraded cloud.google.com/go/compute v1.12.1 => v1.23.2
go: upgraded cloud.google.com/go/compute/metadata v0.1.1 => v0.2.3
go: upgraded cloud.google.com/go/iam v0.6.0 => v1.1.4
go: upgraded cloud.google.com/go/storage v1.27.0 => v1.30.1
go: upgraded github.com/golang/protobuf v1.5.2 => v1.5.3
go: upgraded github.com/google/uuid v1.3.0 => v1.3.1
go: upgraded github.com/googleapis/enterprise-certificate-proxy v0.2.0 => v0.2.4
go: upgraded github.com/googleapis/gax-go/v2 v2.6.0 => v2.12.0
go: upgraded github.com/stretchr/testify v1.7.0 => v1.8.1
go: upgraded go.opencensus.io v0.23.0 => v0.24.0
go: upgraded golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167 => v0.15.0
go: upgraded golang.org/x/net v0.8.0 => v0.18.0
go: upgraded golang.org/x/oauth2 v0.1.0 => v0.11.0
go: upgraded golang.org/x/sys v0.6.0 => v0.14.0
go: upgraded golang.org/x/term v0.6.0 => v0.14.0
go: upgraded golang.org/x/text v0.8.0 => v0.14.0
go: upgraded google.golang.org/api v0.101.0 => v0.128.0
go: upgraded google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c => v0.0.0-20231030173426-d783a09b4405
go: added google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17
go: upgraded google.golang.org/grpc v1.50.1 => v1.59.0
go: upgraded google.golang.org/protobuf v1.28.1 => v1.31.0
go: upgraded gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b => v3.0.1

packer-plugin-vmware on  main [!] via 🐹 v1.21.4 took 23.6s 
➜ go mod tidy
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b
go: downloading github.com/google/s2a-go v0.1.4

Reference

Closes https://github.com/hashicorp/packer-plugin-vmware/security/dependabot/22
Closes https://github.com/hashicorp/packer-plugin-vmware/security/dependabot/18

@tenthirtyam tenthirtyam added dependencies Dependencies chore Chore labels Nov 12, 2023
@tenthirtyam tenthirtyam requested a review from nywilken November 12, 2023 18:02
@tenthirtyam tenthirtyam self-assigned this Nov 12, 2023
@tenthirtyam tenthirtyam requested a review from a team as a code owner November 12, 2023 18:02
@nywilken
chore(deps): google.golang.org/grpc
3236729 
Address the following CVE:

- CVE-2023-44487

Signed-off-by: Ryan Johnson <johnsonryan@vmware.com>
@nywilken nywilken force-pushed the chore(deps)/google.golang.org-grpc branch from 0fb14ca to 3236729 Compare November 13, 2023 10:37
@nywilken nywilken merged commit ead7937 into main Nov 13, 2023
@nywilken nywilken deleted the chore(deps)/google.golang.org-grpc branch November 13, 2023 10:38
@vmware vmware locked and limited conversation to collaborators Jun 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@nywilken nywilken nywilken approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tenthirtyam tenthirtyam

Labels

chore Chore dependencies Dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tenthirtyam @nywilken