gRPC v1.23.0 Release Notes
Release Date: 2019-08-14 // over 4 years ago-
๐ This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.
Dependencies
- โฌ๏ธ Bump netty to 4.1.38
- โฌ๏ธ Bump PerfMark to 0.17.0
- โฌ๏ธ Bump protobuf to 3.9.0
๐ Bug Fixes
- netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
- alts: Fix server hang (#5900)
- context: Fix race between CancellableContext and Context (#5981)
- stub: Avoid race in onHalfClose server StreamObserver (#5991)
- ๐ core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801
API Changes
- core: Add
@Nullable
to getter for trailers onStatusRuntimeException
(#5951) - core: ClientStream.getAttributes() can be called at any time (#5904)
- core,netty: Block server shutdown until the socket is unbound (#5905)
- netty: Users providing EventLoopGroup and/or ChannelType for NettyServerBuilder and NettyChannelBuilder requires to provide all of them or none. Otherwise, it will throw an IllegalStateException (#6014)
๐ New Features
- Make //compiler:grpc_java_plugin publicly visible again (#5947)
- java_grpc_library.bzl: Work with proto_library rules using strip_import_prefix / import_prefix (#5959)
- ๐ Make .proto import path computation work with virtual protos in the main repository (#5967)
- core: Attach debug information about stream to DEADLINE_EXCEEDED (#5892)
๐ Documentation
- Provide an example of hedging in examples
- ๐ compiler: Add note about where to download precompiled version of plugin (#6022)
Acknowledgements
@aaliddell Adam Liddell
@DarrienG Darrien Glasser
@jadekler Jean de Klerk
@lberki Lukacs T. Berki
@liym stbridge
@mkobit Mike Kobit
@tiggerlee2 Shuangtai Li
@zhaonian Zhaonian Luan