beyla
beyla copied to clipboard
grafana
fix(deps): update module google.golang.org/grpc [security]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| google.golang.org/grpc | v1.64.0 -> v1.64.1 |
||
| google.golang.org/grpc | v1.40.1 -> v1.56.3 |
||
| google.golang.org/grpc | v1.55.0 -> v1.56.3 |
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go
GHSA-xr7q-jx4m-x55m / GO-2024-2978
More information
Details
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.
Severity
Low
References
- https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
- https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
- https://github.com/grpc/grpc-go
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Private tokens could appear in logs if context containing gRPC metadata is logged in google.golang.org/grpc
GHSA-xr7q-jx4m-x55m / GO-2024-2978
More information
Details
If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.
Severity
Unknown
References
- https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
- https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
gRPC-Go HTTP/2 Rapid Reset vulnerability
BIT-apisix-2023-44487 / BIT-aspnet-core-2023-44487 / BIT-contour-2023-44487 / BIT-dotnet-2023-44487 / BIT-dotnet-sdk-2023-44487 / BIT-envoy-2023-44487 / BIT-golang-2023-44487 / BIT-jenkins-2023-44487 / BIT-kong-2023-44487 / BIT-nginx-2023-44487 / BIT-nginx-ingress-controller-2023-44487 / BIT-node-2023-44487 / BIT-node-min-2023-44487 / BIT-solr-2023-44487 / BIT-tomcat-2023-44487 / BIT-varnish-2023-44487 / CGA-4mmr-qwxr-f88g / CGA-5jp5-95p2-jw83 / CGA-5v4r-558c-254r / CGA-9w4r-68hh-64j5 / CGA-m49h-wjp5-j434 / CGA-mp43-q6p3-96v2 / CVE-2023-44487 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3 / GO-2023-2153
More information
Details
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.
Workarounds
None.
References
#6703
Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
- https://github.com/grpc/grpc-go/security/advisories/GHSA-m425-mq94-257g
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721
- https://github.com/grpc/grpc-go
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
BIT-apisix-2023-44487 / BIT-aspnet-core-2023-44487 / BIT-contour-2023-44487 / BIT-dotnet-2023-44487 / BIT-dotnet-sdk-2023-44487 / BIT-envoy-2023-44487 / BIT-golang-2023-44487 / BIT-jenkins-2023-44487 / BIT-kong-2023-44487 / BIT-nginx-2023-44487 / BIT-nginx-ingress-controller-2023-44487 / BIT-node-2023-44487 / BIT-node-min-2023-44487 / BIT-solr-2023-44487 / BIT-tomcat-2023-44487 / BIT-varnish-2023-44487 / CGA-4mmr-qwxr-f88g / CGA-5jp5-95p2-jw83 / CGA-5v4r-558c-254r / CGA-9w4r-68hh-64j5 / CGA-m49h-wjp5-j434 / CGA-mp43-q6p3-96v2 / CVE-2023-44487 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3 / GO-2023-2153
More information
Details
An attacker can send HTTP/2 requests, cancel them, and send subsequent requests. This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit, grpc.MaxConcurrentStreams. This results in a denial of service due to resource consumption.
Severity
Unknown
References
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
GitHub Vulnerability Alerts
GHSA-m425-mq94-257g
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.
Workarounds
None.
References
#6703
Release Notes
grpc/grpc-go (google.golang.org/grpc)
v1.64.1: Release 1.64.1
Dependencies
- Update x/net/http2 to address CVE-2023-45288 (#7352)
- metadata: remove String method from MD to make printing consistent (#7374)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
- [ ] If you want to rebase/retry this PR, check this box
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.
![renovate-sh-app[bot] avatar](https://avatars.githubusercontent.com/u/7195757?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: internal/test/integration/components/testserver_1.17/go.sum
Command failed: go mod tidy
go: downloading github.com/stretchr/testify v1.8.3
go: downloading github.com/go-playground/assert/v2 v2.2.0
go: downloading gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
go: downloading google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130
go: downloading github.com/ugorji/go v1.1.7
go: github.com/grafana/beyla/v2/testserver_1.17 imports
github.com/gin-gonic/gin imports
github.com/gin-gonic/gin/binding imports
gopkg.in/yaml.v2 tested by
gopkg.in/yaml.v2.test imports
gopkg.in/check.v1 loaded from gopkg.in/[email protected],
but go 1.16 would select v1.0.0-20201130134442-10cb98267c6c
To upgrade to the versions selected by go 1.16:
go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
go mod tidy -compat=1.17
For information about 'go mod tidy' compatibility, see:
https://go.dev/ref/mod#graph-pruning
go: github.com/grafana/beyla/v2/testserver_1.17 imports
github.com/gin-gonic/gin imports
github.com/gin-gonic/gin/binding imports
gopkg.in/yaml.v2 tested by
gopkg.in/yaml.v2.test imports
gopkg.in/check.v1 loaded from gopkg.in/[email protected],
but go 1.16 would select v1.0.0-20201130134442-10cb98267c6c
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 49.78%. Comparing base (6036ee3) to head (cccc678).
Additional details and impacted files
@@ Coverage Diff @@
## main #2296 +/- ##
=======================================
Coverage 49.78% 49.78%
=======================================
Files 38 38
Lines 2971 2971
=======================================
Hits 1479 1479
Misses 1343 1343
Partials 149 149
| Flag | Coverage Δ | |
|---|---|---|
| integration-test | 16.79% <ø> (ø) |
|
| integration-test-vm-${ARCH}-${KERNEL_VERSION} | 0.00% <ø> (ø) |
|
| k8s-integration-test | 2.62% <ø> (ø) |
|
| oats-test | 0.00% <ø> (ø) |
|
| unittests | 43.25% <ø> (ø) |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
