Source: grpc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for grpc. CVE-2024-7246[0]: | It's possible for a gRPC client communicating with a HTTP/2 proxy to | poison the HPACK table between the proxy and the backend such that | other clients see failed requests. It's also possible to use this | vulnerability to leak other clients HTTP header keys, but not | values. This occurs because the error status for a misencoded | header is not cleared between header reads, resulting in subsequent | (incrementally indexed) added headers in the first request being | poisoned until cleared from the HPACK table. Please update to a | fixed version of gRPC as soon as possible. This bug has been fixed | in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4. https://github.com/grpc/grpc/issues/36245 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7246 https://www.cve.org/CVERecord?id=CVE-2024-7246 Please adjust the affected versions in the BTS as needed.
