Important: gRPC-Go patch releases pushed today

[Easwar Swaminathan]

A bug in the gRPC-Go server was identified, which would allow clients to cause servers to allocate up to 16MB of memory per connection, which could cause the server to run out of memory and crash. The impact of this issue should be limited if you are already limiting the number of simultaneous connections on your server (for example with a netutil.LimitListener), which is typically recommended. The fix for this issue was made in PR #3018 and has been included in the following releases: v1.23.1 and v1.22.3. Please update your servers at the earliest.

[Doug Fawley]

I also wanted to send a special "thank you" to Michael Fink, Shiva Chetan Goudar, and Aaron Beitch at Arista Networks who discovered this issue and brought it to our attention.  It's efforts (and people) like these that make open source software and the internet more secure.

On Wed, Sep 11, 2019 at 3:34 PM 'Easwar Swaminathan' via grpc.io <grp...@googlegroups.com> wrote:

A bug in the gRPC-Go server was identified, which would allow clients to cause servers to allocate up to 16MB of memory per connection, which could cause the server to run out of memory and crash. The impact of this issue should be limited if you are already limiting the number of simultaneous connections on your server (for example with a netutil.LimitListener), which is typically recommended. The fix for this issue was made in PR #3018 and has been included in the following releases: v1.23.1 and v1.22.3. Please update your servers at the earliest.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/69cf70b7-a9aa-45ee-80d4-25fc7a5f43ee%40googlegroups.com.