github grpc/grpc-java v1.23.0
on GitHub

latest releases: v1.67.1, v1.67.0, v1.66.0...
5 years ago

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Dependencies

  • Bump netty to 4.1.38
  • Bump PerfMark to 0.17.0
  • Bump protobuf to 3.9.0

Bug Fixes

  • netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
  • alts: Fix server hang (#5900)
  • context: Fix race between CancellableContext and Context (#5981)
  • stub: Avoid race in onHalfClose server StreamObserver (#5991)
  • core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801

API Changes

  • core: Add @Nullable to getter for trailers on StatusRuntimeException (#5951)
  • core: ClientStream.getAttributes() can be called at any time (#5904)
  • core,netty: Block server shutdown until the socket is unbound (#5905)
  • netty: Users providing EventLoopGroup and/or ChannelType for NettyServerBuilder and NettyChannelBuilder requires to provide all of them or none. Otherwise, it will throw an IllegalStateException (#6014)
  • stub,core: avoid calling onReady if the call is UNARY or SERVER_STREAMING for performance optimization. Users relying on onReady need to migrate. (Note: ADDED on 2/3/20)

New Features

  • Make //compiler:grpc_java_plugin publicly visible again (#5947)
  • java_grpc_library.bzl: Work with proto_library rules using strip_import_prefix / import_prefix (#5959)
  • Make .proto import path computation work with virtual protos in the main repository (#5967)
  • core: Attach debug information about stream to DEADLINE_EXCEEDED (#5892)

Documentation

  • Provide an example of hedging in examples
  • compiler: Add note about where to download precompiled version of plugin (#6022)

Acknowledgements

@aaliddell Adam Liddell
@DarrienG Darrien Glasser
@jadekler Jean de Klerk
@lberki Lukacs T. Berki
@liym stbridge
@mkobit Mike Kobit
@tiggerlee2 Shuangtai Li
@zhaonian Zhaonian Luan

Check out latest releases or
releases around grpc/grpc-java v1.23.0

Don't miss a new grpc-java release

NewReleases is sending notifications on new releases.

Get notifications