Update dependency grpcio to v1.53.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
grpcio (source)	==1.51.1 -> ==1.53.2

GitHub Vulnerability Alerts

CVE-2023-32731

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

CVE-2023-1428

There exists an vulnerability causing an abort() to be called in gRPC. 
The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

CVE-2023-32732

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.

CVE-2023-33953

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

• Unbounded memory buffering in the HPACK parser
• Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

• The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
• HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
• gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

---

Release Notes

grpc/grpc (grpcio)

v1.53.2

Compare Source

This is release gRPC Core 1.53.2 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

• [backport][iomgr][EventEngine] Improve server handling of file descriptor exhaustion by @​drfloob in https://github.com/grpc/grpc/pull/33672

v1.53.1

Compare Source

This is release gRPC Core 1.53.1 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

• Fixed CVE-2023-32731
• Fixed CVE-2023-32732

v1.53.0

Compare Source

This is release 1.53.0 (glockenspiel) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• xDS: fix crash when removing the last endpoint from the last locality in weighted_target. (#​32592)
• filter stack: pass peer name up via recv_initial_metadata batch. (#​31933)
• [EventEngine] Add advice against blocking work in callbacks. (#​32397)
• [http2] Dont drop connections on metadata limit exceeded. (#​32309)
• xDS: reject aggregate cluster with empty cluster list. (#​32238)
• Fix Python epoll1 Fork Support. (#​32196)
• server: introduce ServerMetricRecorder API and move per-call reporting from a C++ interceptor to a C-core filter. (#​32106)
• [EventEngine] Add invalid handle types to the public API. (#​32202)
• [EventEngine] Refactoring the EventEngine Test Suite: Part 1. (#​32127)
• xDS: fix WeightedClusters total weight handling. (#​32134)

C++

• Update minimum MSVC version to 2019. (#​32615)
• Use CMake variables for paths in pkg-config files. (#​31671)

C#

• Grpc.Tools: Use x86 protoc binaries on arm64 Windows. (#​32017)

Python

• Support python 3.11 on aarch64. (#​32270)
• Include .pyi file. (#​32268)
• De-experimentalize wait-for-ready. (#​32143)
• De-experimentalize compression. (#​32138)

Ruby

• [ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6. (#​32089)

v1.52.0

Compare Source

This is release 1.52.0 (gribkoff) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [༺ EventEngine ༻] Specify requirements for Run* immediate execution. (#​32028)
• Tracing: Add annotations for when call is removed from resolver result queue and lb pick queue. (#​31913)
• ring_hash LB: cap ring size to 4096 with channel arg to override. (#​31692)

C++

• Cmake add separate export for plugin targets. (#​31525)

C#

• Add internal documentation for Grpc.Tools MSBuild integration. (#​31784)

Python

• Change Aio abort() function return type to NoReturn. (#​31984)
• Change the annotated return type of UnaryStreamCall and StreamStreamCall from AsyncIterable to AsyncIterator. (#​31906)
• Build native MacOS arm64 artifacts (universal2). (#​31747)
• Respect CC variable in grpcio python build. (#​26480)
• Revert "Build with System OpenSSL on Mac OS arm64 (#​31096)". (#​31741)

Ruby

• Backport "[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6 #​32089" to v1.52.x. (#​32157)
• remove some default allocators. (#​30434)
• Fix Ruby build errors in 3.2.0 on Apple M1. (#​31997)
• [Ruby] build: make exported symbol files platform-specific. (#​31970)

v1.51.3

Compare Source

This is release gRPC Core 1.51.3 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.

Python

• Backport of #​31747 to v1.51.x (Build native MacOS arm64 artifacts (universal2)) (#​32424)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Automatically marking pull request as stale due to lack of activity