gRPC Java v1.22.2 Released

15 views
Skip to first unread message

Eric Anderson

unread,
Aug 15, 2019, 11:57:27 AM8/15/19
to

gRPC Java 1.22.2 is released and available on Maven Central and JCenter.

https://github.com/grpc/grpc-java/releases/tag/v1.22.2

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Bug fixes

  • netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
  • core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801
Reply all
Reply to author
Forward
0 new messages