gRPC Java v1.21.1 Released

6 views
Skip to first unread message

Eric Anderson

unread,
Aug 14, 2019, 6:31:21 PM8/14/19
to

gRPC Java 1.22.1 is released and available on Maven Central and JCenter.

https://github.com/grpc/grpc-java/releases/tag/v1.21.1

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Bug fixes

  • netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
  • bazel: fixed a regression in v1.21 where java_grpc_library ignored custom java toolchains (#5844)
  • bazel target //compiler:grpc_java_plugin is publicly visible again (#5953). The target wasn't publicly visible since v1.21.0. This target was used by rules_proto.
  • core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801
Reply all
Reply to author
Forward
0 new messages