Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Rust crate tonic to v0.12.3 [SECURITY] - autoclosed #1382

Closed
wants to merge 1 commit into from
Closed

Update Rust crate tonic to v0.12.3 [SECURITY] - autoclosed #1382

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 2, 2024
edited by allada
Loading

This PR contains the following updates:

Package Type Update Change
tonic dependencies patch 0.12.2 -> 0.12.3

GitHub Vulnerability Alerts

CVE-2024-47609

Impact

When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a tcp/tls stream. This can be triggered via causing the accept call to error out with errors there were not covered correctly causing the accept loop to exit.

More information can be found here

Patches

Upgrading to tonic 0.12.3 and above contains the fix.

Workarounds

A custom accept loop is a possible workaround.

Release Notes

hyperium/tonic (tonic)

v0.12.3

Compare Source

Features
  • server: Added support for grpc max_connection_age (#​1865)
  • build: Add #[deprecated] to deprecated client methods (#​1879)
  • build: plumb skip_debug through prost Builder and add test (#​1900)
Bug Fixes
  • build: Revert "fix tonic-build cargo build script outputs (#​1821)" which accidentally increases MSRV (#​1898)
  • server: ignore more error kinds in incoming socket stream (#​1885)
  • transport: do not shutdown server on broken connections (#​1948)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This change is Reviewable

aaronmondal
aaronmondal requested changes Oct 2, 2024
View reviewed changes
Copy link
Member

@aaronmondal aaronmondal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

already handled by #1381

Reviewable status: 0 of 1 LGTMs obtained, and 0 of 1 files reviewed, and pending CI: Bazel Dev / macos-13, Cargo Dev / macos-13, Installation / macos-13, Installation / macos-14, Remote / large-ubuntu-22.04

@renovate renovate bot changed the title Update Rust crate tonic to v0.12.3 [SECURITY] Update Rust crate tonic to v0.12.3 [SECURITY] - autoclosed Oct 2, 2024
@renovate renovate bot closed this Oct 2, 2024
@renovate renovate bot deleted the renovate/crate-tonic-vulnerability branch October 2, 2024 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaronmondal aaronmondal aaronmondal requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@aaronmondal