Skip to content

server: prohibit more than MaxConcurrentStreams handlers from running at once (#6703) #6708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 10, 2023
Merged

server: prohibit more than MaxConcurrentStreams handlers from running at once (#6703) #6708

merged 3 commits into from
Oct 10, 2023

Conversation

@dfawley
Copy link
Member

@dfawley dfawley commented Oct 10, 2023
edited by zasweq
Loading

RELEASE NOTES:

  • server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487) -- in addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

@dfawley dfawley added the Type: Security A bug or other problem affecting security label Oct 10, 2023
@dfawley dfawley requested a review from zasweq October 10, 2023 18:53
@zasweq zasweq modified the milestones: 1.55 Release, 1.56 Release Oct 10, 2023
zasweq
zasweq approved these changes Oct 10, 2023
View reviewed changes
Copy link
Contributor

@zasweq zasweq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@zasweq zasweq merged commit 5efd7bd into grpc:v1.56.x Oct 10, 2023
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
44fe14a 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
@hugoghx hugoghx mentioned this pull request Oct 17, 2023
Merged
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
ddbaa57 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
a6de891 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
hugoghx added a commit to hashicorp/boundary that referenced this pull request Oct 17, 2023
@hugoghx
chore: Bump gRPC to v1.58.3
e737f26 
gRPC v1.58.3 fixes a vulnerability in the HTTP stack where a malicious
HTTP/2 client which rapidly creates requests and immediately resets them
can cause excessive server resource consumption.

See grpc/grpc-go#6708 for more details.
@dfawley dfawley deleted the cp4 branch October 23, 2023 16:50
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@zasweq zasweq zasweq approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@zasweq zasweq

Labels

Type: Security A bug or other problem affecting security

Projects

None yet

Milestone

1.56 Release

Development

Successfully merging this pull request may close these issues.

2 participants

@dfawley @zasweq