Affected versions - CVE-2023-32731
73 views
Skip to first unread message
Josef Cacek
Aug 29, 2023, 11:28:25 AM8/29/23
to grpc.io
Hi,
Could someone shed light on the affected versions for CVE-2023-32731?
- The NVD says 1.53.0<=X<1.55.0 (https://nvd.nist.gov/vuln/detail/CVE-2023-32731)
- The GHSA says X<1.53.0 including Maven, Pip, and Ruby artifacts (https://github.com/advisories/GHSA-cfgp-2977-2fmm)
- The ruby-advisory says X<1.53.1 (https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.yml)
- The Release notes for 1.54.2 say the version contains fixes for the CVE. (https://github.com/grpc/grpc/releases/tag/v1.54.2)
If we use version 1.48.0 (grpc-java, and grpcio PIP module) are we affected? If so, what is the recommended version for upgrade? 1.55.0?
Thank you,
-- Josef Cacek
Eugene Ostroukhov
Aug 30, 2023, 1:15:16 PM8/30/23
to grpc.io
This does not seem to apply to gRPC Java as that one is a separate codebase.
1.48 does not seem to have this specific vulnerability it is no longer maintained and will not receive fixes if any new issues are discovered. We would recommend you to switch to a more current gRPC version.
Josef Cacek
Aug 30, 2023, 2:48:15 PM8/30/23
to grpc.io
Thank you for the reply, Eugene.
Is the response also valid for the Python grpcio module?
Regards,
-- Josef
st 30. 8. 2023 v 19:15 odesílatel 'Eugene Ostroukhov' via grpc.io
<grp...@googlegroups.com> napsal:
> --
> You received this message because you are subscribed to the Google Groups "grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/6aa88fe0-bbe4-4a7d-9b2b-c0106750cf26n%40googlegroups.com.
Is the response also valid for the Python grpcio module?
Regards,
-- Josef
st 30. 8. 2023 v 19:15 odesílatel 'Eugene Ostroukhov' via grpc.io
<grp...@googlegroups.com> napsal:
> You received this message because you are subscribed to the Google Groups "grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/6aa88fe0-bbe4-4a7d-9b2b-c0106750cf26n%40googlegroups.com.
Eugene Ostroukhov
Aug 30, 2023, 3:19:34 PM8/30/23
to Josef Cacek, grpc.io
Yes. Python module calls into C code.
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/mqhY4-Yx8KI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B6Tb2qBGSEO-rPZogPf66g0xUW-94VBYpXbLbRpCrHrs9aNyw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages