This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.
Dependencies
- Bump netty to 4.1.38
- Bump PerfMark to 0.17.0
- Bump protobuf to 3.9.0
Bug Fixes
- netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
- alts: Fix server hang (#5900)
- context: Fix race between CancellableContext and Context (#5981)
- stub: Avoid race in onHalfClose server StreamObserver (#5991)
- core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801
API Changes
- core: Add
@Nullable
to getter for trailers onStatusRuntimeException
(#5951) - core: ClientStream.getAttributes() can be called at any time (#5904)
- core,netty: Block server shutdown until the socket is unbound (#5905)
- netty: Users providing EventLoopGroup and/or ChannelType for NettyServerBuilder and NettyChannelBuilder requires to provide all of them or none. Otherwise, it will throw an IllegalStateException (#6014)
- stub,core: avoid calling
onReady
if the call is UNARY or SERVER_STREAMING for performance optimization. Users relying ononReady
need to migrate. (Note: ADDED on 2/3/20)
New Features
- Make //compiler:grpc_java_plugin publicly visible again (#5947)
- java_grpc_library.bzl: Work with proto_library rules using strip_import_prefix / import_prefix (#5959)
- Make .proto import path computation work with virtual protos in the main repository (#5967)
- core: Attach debug information about stream to DEADLINE_EXCEEDED (#5892)
Documentation
- Provide an example of hedging in examples
- compiler: Add note about where to download precompiled version of plugin (#6022)
Acknowledgements
@aaliddell Adam Liddell
@DarrienG Darrien Glasser
@jadekler Jean de Klerk
@lberki Lukacs T. Berki
@liym stbridge
@mkobit Mike Kobit
@tiggerlee2 Shuangtai Li
@zhaonian Zhaonian Luan