Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transport: block reading frames when too many transport control frames are queued #2970

Merged
merged 1 commit into from
Aug 13, 2019

Conversation

dfawley
Copy link
Member

@dfawley dfawley commented Aug 13, 2019

Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

@dfawley dfawley added this to the 1.23 Release milestone Aug 13, 2019
@dfawley dfawley requested a review from menghanl August 13, 2019 17:16
@dfawley dfawley added the Type: Security A bug or other problem affecting security label Aug 13, 2019
@dfawley dfawley merged commit ee21c92 into grpc:master Aug 13, 2019
@dfawley dfawley deleted the pwh2v branch August 13, 2019 17:52
dfawley added a commit that referenced this pull request Aug 13, 2019
…s are queued (#2970)

Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).
dfawley added a commit that referenced this pull request Aug 13, 2019
…s are queued (#2970)

Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).
thaJeztah added a commit to thaJeztah/containerd that referenced this pull request Aug 26, 2019
full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@aaronbee
Copy link

Does this change alone fully fix the CVEs for the gRPC server or is the x/net/http2 change also required? golang/go#33606

@dfawley
Copy link
Member Author

dfawley commented Aug 27, 2019

@aaronbee if you are using a net/http.Server to serve gRPC (via gRPC's ServeHTTP method) -- this is not recommended -- then you will need to make sure you are using a patched version of that server. Otherwise, we only use standard library / x code for framing, and are not exposed to any vulnerabilities in their server.

thaJeztah added a commit to thaJeztah/docker that referenced this pull request Aug 28, 2019
full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Sep 3, 2019
full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: f1cd79976a9acabbafd8a053f1bcb4581e43b7a8
Component: engine
thaJeztah added a commit to thaJeztah/docker that referenced this pull request Sep 12, 2019
full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit f1cd799)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Sep 23, 2019
full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit f1cd79976a9acabbafd8a053f1bcb4581e43b7a8)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 5772636dc6526cb00085e2b61c3c71117940d83c
Component: engine
burnMyDread pushed a commit to burnMyDread/moby that referenced this pull request Oct 21, 2019
full diff: grpc/grpc-go@v1.20.1...v1.23.0

This update contains security fixes:

- transport: block reading frames when too many transport control frames are queued (grpc/grpc-go#2970)
  - Addresses CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood).

Other changes can be found in the release notes:
https://github.com/grpc/grpc-go/releases/tag/v1.23.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: zach <[email protected]>
@lock lock bot locked as resolved and limited conversation to collaborators Feb 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
P0 Type: Security A bug or other problem affecting security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants