Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Rust crate tonic to 0.12.3 [SECURITY] - autoclosed #22

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 2, 2024

This PR contains the following updates:

Package Type Update Change
tonic dependencies minor 0.4 -> 0.12.3

GitHub Vulnerability Alerts

CVE-2024-47609

Impact

note: this only affects v0.12.0 - v0.12.2

When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a tcp/tls stream. This can be triggered via causing the accept call to error out with errors there were not covered correctly causing the accept loop to exit.

More information can be found here

Patches

Upgrading to tonic 0.12.3 and above contains the fix.

Workarounds

A custom accept loop is a possible workaround.


Release Notes

hyperium/tonic (tonic)

v0.12.3

Compare Source

Features
  • server: Added support for grpc max_connection_age (#​1865)
  • build: Add #[deprecated] to deprecated client methods (#​1879)
  • build: plumb skip_debug through prost Builder and add test (#​1900)
Bug Fixes
  • build: Revert "fix tonic-build cargo build script outputs (#​1821)" which accidentally increases MSRV (#​1898)
  • server: ignore more error kinds in incoming socket stream (#​1885)
  • transport: do not shutdown server on broken connections (#​1948)

v0.12.2

Compare Source

Features
  • Move TimeoutExpired out of transport (#​1826)
  • Move ConnectError type from transport (#​1828)
  • channel: allow setting max_header_list_size (#​1835)
  • router: Add RoutesBuilder constructor (#​1855)
  • tls: Rename tls-roots feature with tls-native-roots (#​1860)
  • router: Rename Routes::into_router with into_axum_router (#​1862)
  • router: Implement from axum::Router for Routes (#​1863)
  • channel: Re-enable TLS based on Cargo features in generated clients (#​1866)
  • server: allow setting max_header_list_size (#​1870)
  • build: Expose formatted service name (#​1684)
  • reflection: add back support for v1alpha reflection protocol (#​1888)
Bug Fixes
  • router: Add missing unimplemented fallback to RoutesBuilder (#​1864)
  • server: Prevent server from exiting on ECONNABORTED (#​1874)
  • web: fix panic in trailer parsing on multiple trailers (#​1880)
  • web: fix empty trailer parsing causing infinite parser loop (#​1883)

v0.12.1

Compare Source

Bug Fixes
  • Reduce tokio-stream feature (#​1795)

v0.12.0

Compare Source

This breaking release updates tonic to the hyper 1.0 ecosystem and also updates
to prost v0.13.0.

Features
Bug Fixes
BREAKING CHANGES
  • tonic and crates updated to hyper 1.0 (#​1670)
  • tonic and crates updated to prost 0.13 (#​1779)
  • tonic_reflection::server is updated to use the generated
    tonic_reflection::pb::v1 code.
  • Make compression encoding configuration more malleable (#​1757)
  • Removed implicit configuration of client TLS roots setup (#​1731)

v0.11.0

Compare Source

BREAKING CHANGES:

  • Removed NamedService from the transport module, please import it via
    tonic::server::NamedService.
  • MSRV bumped to 1.70.
Features
  • Added zstd compression support.
  • Added connection timeout for connecto_with_connector_lazy.
  • Upgrade rustls to v0.22
  • Feature gate server implementation for tonic-reflection.

v0.10.2

Compare Source

Bug Fixes

v0.10.1

Compare Source

Bug Fixes

v0.10.0

Compare Source

Bug Fixes
Features

0.9.2 (2023-04-17)

0.9.1 (2023-04-03)

v0.9.2

Compare Source

v0.9.1

Compare Source

v0.9.0

Compare Source

Bug Fixes
Features

0.8.4 (2022-11-29)

Bug Fixes

0.8.3 (2022-11-28)

Bug Fixes
Features

0.8.2 (2022-09-28)

Bug Fixes
Features

v0.8.3

Compare Source

Bug Fixes
Features

v0.8.2

Compare Source

Bug Fixes
Features

v0.8.1

Compare Source

v0.8.0

Compare Source

Features
BREAKING CHANGES
  • build: CODEC_PATH moved from const to fn

0.7.2 (2022-05-05)

Bug Fixes
Features

0.7.1 (2022-04-04)

Features

v0.7.2

Compare Source

Bug Fixes
Features

v0.7.1

Compare Source

Features

v0.7.0

Compare Source

Bug Fixes
Features

0.6.2 (2021-12-08)

Bug Fixes

0.6.1 (2021-10-27)

Bug Fixes

v0.6.2

Compare Source

Bug Fixes

v0.6.1

Compare Source

Bug Fixes

v0.6.0

Compare Source

Bug Fixes
Features

0.5.2 (2021-08-10)

0.5.1 (2021-08-09)

Bug Fixes
  • build: allow services to be named Service (#​709) (380d81d)
  • build: remove unnecessary Debug constraint for client streams (#​719) (167e8cb)
Features

v0.5.2

Compare Source

v0.5.1

Compare Source

Bug Fixes
  • build: allow services to be named Service (#​709) (380d81d)
  • build: remove unnecessary Debug constraint for client streams (#​719) (167e8cb)
Features

v0.5.0

Compare Source

Bug Fixes
Features

0.4.3 (2021-04-29)

Features

0.4.2 (2021-04-13)

Bug Fixes
Features
Reverts

0.4.1 (2021-03-16)

Bug Fixes
Features

v0.4.3

Compare Source

Features

v0.4.2

Compare Source

Bug Fixes
Features
Reverts

v0.4.1

Compare Source

Bug Fixes
Features

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the B-renovate Bot: renovate label Oct 2, 2024
@renovate renovate bot changed the title Update Rust crate tonic to 0.12.3 [SECURITY] Update Rust crate tonic to 0.12.3 [SECURITY] - autoclosed Oct 2, 2024
@renovate renovate bot closed this Oct 2, 2024
@renovate renovate bot deleted the renovate/crate-tonic-vulnerability branch October 2, 2024 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
B-renovate Bot: renovate
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants