Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

server: prohibit more than MaxConcurrentStreams handlers from running at once (#6703) #6708

Merged
merged 3 commits into from
Oct 10, 2023
Merged

server: prohibit more than MaxConcurrentStreams handlers from running at once (#6703) #6708

merged 3 commits into from
Oct 10, 2023

Conversation

dfawley
Copy link
Member

@dfawley dfawley commented Oct 10, 2023
edited by zasweq
Loading

RELEASE NOTES:

  • server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487) -- in addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

@dfawley dfawley added the Type: Security A bug or other problem affecting security label Oct 10, 2023
@dfawley dfawley requested a review from zasweq October 10, 2023 18:53
@zasweq zasweq modified the milestones: 1.55 Release, 1.56 Release Oct 10, 2023
zasweq
zasweq approved these changes Oct 10, 2023
View reviewed changes
Copy link
Contributor

@zasweq zasweq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@zasweq zasweq merged commit 5efd7bd into grpc:v1.56.x Oct 10, 2023
9 of 10 checks passed
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
44fe14a 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
@hugoghx hugoghx mentioned this pull request Oct 17, 2023
Merged
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
ddbaa57 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
a6de891 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
e737f26 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
@dfawley dfawley deleted the cp4 branch October 23, 2023 16:50
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@zasweq zasweq zasweq approved these changes

Assignees

@zasweq zasweq

Labels
Type: Security A bug or other problem affecting security
Projects
None yet
Milestone
1.56 Release
Development

Successfully merging this pull request may close these issues.
2 participants
@dfawley @zasweq