Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 #7092

Closed
edcrewe opened this issue Apr 4, 2024 · 5 comments
Closed

Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 #7092

edcrewe opened this issue Apr 4, 2024 · 5 comments
Assignees
@arvindbr8
Labels
Type: Meta Github repo, process, etc

Comments

@edcrewe
Copy link

edcrewe commented Apr 4, 2024
edited
Loading

Please upgrade go.mod

See https://github.com/grpc/grpc-go/blob/cmd/protoc-gen-go-grpc/v1.3.0/cmd/protoc-gen-go-grpc/go.mod
Security issue with

require google.golang.org/protobuf v1.28.1

google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM │ fixed │ v1.28.1 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │
infinite loop in protojson.Unmarshal when unmarshaling certain forms of... https://avd.aquasec.com/nvd/cve-2024-24786

upgrade to

require google.golang.org/protobuf v1.33.0

(ideally upgrade to a more recent go version than 1.17 whilst you are at it!)
@edcrewe edcrewe changed the title Please upgrade to security fixed protobuf v1.33.0 (and ideally more recent go version) Please upgrade to security fixed protobuf v1.33.0 (plus more recent go version) Apr 4, 2024
@edcrewe edcrewe changed the title Please upgrade to security fixed protobuf v1.33.0 (plus more recent go version) Please upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 Apr 4, 2024
@edcrewe edcrewe changed the title Please upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 Apr 4, 2024
@edcrewe edcrewe changed the title upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 Apr 4, 2024
@edcrewe
Copy link
Author

edcrewe commented Apr 4, 2024

Sorry we realized you have already done this work, it is just waiting for a new release version for the changes at https://github.com/grpc/grpc-go/blob/master/cmd/protoc-gen-go-grpc/main.go

@dfawley
Copy link
Member

dfawley commented Apr 4, 2024

I'd like to wait on #7057 before doing the next release if possible, which might be a couple weeks.

@dfawley dfawley added Type: Meta Github repo, process, etc and removed Type: Bug labels Apr 4, 2024
This was referenced Apr 24, 2024
Merged
Merged
@dfawley dfawley assigned dfawley and unassigned zasweq May 7, 2024
@dfawley dfawley assigned arvindbr8 and unassigned dfawley May 21, 2024
@rittneje
Copy link

@dfawley @arvindbr8 Any chance we could get a new release now? We'd like to take advantage of #7243.

@dfawley
Copy link
Member

dfawley commented May 23, 2024

Yes, this is on our radar, we will try to get it done this week or next.

@arvindbr8
Copy link
Member

This should be fixed in this release: https://github.com/grpc/grpc-go/releases/tag/cmd%2Fprotoc-gen-go-grpc%2Fv1.4.0

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@arvindbr8 arvindbr8

Labels
Type: Meta Github repo, process, etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@edcrewe @ginayeh @arvindbr8 @dfawley @rittneje @zasweq