c-ares and CVE-2022-4904 in gRPC C# v1.46.x
63 views
Skip to first unread message
Sebas Mendez
Nov 22, 2023, 12:56:48 PM11/22/23
to grpc.io
Hi gRPC Team!
I see the C# version in maintenance mode (v1.46.x) uses version 1.17.2, which is impacted by CVE-2022-4904 (fixed in version 1.19).
Are there plans to upgrade the version included in gRPC? Or is it not impacted by the c-ares vulnerability?
- sebas
veb...@google.com
Nov 27, 2023, 12:52:32 PM11/27/23
to grpc.io
From https://github.com/c-ares/c-ares/issues/496, it looks like ares_set_sortlist used to have a security issue but gRPC Core which gRPC C# is using doesn't call this function. Thus, gRPC is not affected by this issue.
John Wilson
Nov 27, 2023, 6:02:36 PM11/27/23
to grpc.io
John Wilson
Nov 27, 2023, 6:02:36 PM11/27/23
to grpc.io
Reply all
Reply to author
Forward
0 new messages