c-ares and CVE-2022-4904 in gRPC C# v1.46.x

47 views

Skip to first unread message

Sebas Mendez

unread,

Nov 22, 2023, 12:56:48 PM11/22/23

to grpc.io

Hi gRPC Team!

I see the C# version in maintenance mode (v1.46.x) uses version 1.17.2, which is impacted by CVE-2022-4904 (fixed in version 1.19).

Are there plans to upgrade the version included in gRPC? Or is it not impacted by the c-ares vulnerability?

- sebas

veb...@google.com

unread,

Nov 27, 2023, 12:52:32 PM11/27/23

to grpc.io

From https://github.com/c-ares/c-ares/issues/496, it looks like ares_set_sortlist used to have a security issue but gRPC Core which gRPC C# is using doesn't call this function. Thus, gRPC is not affected by this issue.

John Wilson

unread,

Nov 27, 2023, 6:02:36 PM11/27/23

to grpc.io

John Wilson

unread,

Nov 27, 2023, 6:02:36 PM11/27/23

to grpc.io

Reply all

Reply to author

Forward

0 new messages