GRPC-Java v1.23.0 Released

27 views
Skip to first unread message

Penn (Dapeng) Zhang

unread,
Aug 14, 2019, 2:32:12 PM8/14/19
to grpc.io

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.


The release is available on both JCenter and Maven Central.


Dependencies

  • Bump netty to 4.1.38
  • Bump PerfMark to 0.17.0
  • Bump protobuf to 3.9.0

Bug Fixes

  • netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
  • alts: Fix server hang (#5900)
  • context: Fix race between CancellableContext and Context (#5981)
  • stub: Avoid race in onHalfClose server StreamObserver (#5991)
  • core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801

API Changes

  • core: Add @Nullable to getter for trailers on StatusRuntimeException (#5951)
  • core: ClientStream.getAttributes() can be called at any time (#5904)
  • core,netty: Block server shutdown until the socket is unbound (#5905)
  • netty: Users providing EventLoopGroup and/or ChannelType for NettyServerBuilder and NettyChannelBuilder requires to provide all of them or none. Otherwise, it will throw an IllegalStateException (#6014)

New Features

  • Make //compiler:grpc_java_plugin publicly visible again (#5947)
  • java_grpc_library.bzl: Work with proto_library rules using strip_import_prefix / import_prefix (#5959)
  • Make .proto import path computation work with virtual protos in the main repository (#5967)
  • core: Attach debug information about stream to DEADLINE_EXCEEDED (#5892)

Documentation

  • Provide an example of hedging in examples
  • compiler: Add note about where to download precompiled version of plugin (#6022)

Acknowledgements

@aaliddell Adam Liddell
@DarrienG Darrien Glasser
@jadekler Jean de Klerk
@lberki Lukacs T. Berki
@liym stbridge
@mkobit Mike Kobit
@tiggerlee2 Shuangtai Li
@zhaonian Zhaonian Luan

Reply all
Reply to author
Forward
0 new messages