This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.
Bug fixes
- netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
- bazel: fixed a regression in v1.21 where java_grpc_library ignored custom java toolchains (#5844)
- bazel target //compiler:grpc_java_plugin is publicly visible again (#5953). The target wasn't publicly visible since v1.21.0. This target was used by rules_proto.
- core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801