Subject: [grpc-io] HTTP/2 Security Vulnerabilities


Eight new DoS vulnerabilities in HTTP/2 implementations were disclosed
today, as detailed by CERT Vulnerability Note VU#605641
<https://kb.cert.org/vuls/id/605641/>.  gRPC implementations were
potentially impacted by the following: CVE-2019-9512 (Ping Flood),
CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood).

The following versions of gRPC contain fixes to these CVEs:

   - gRPC-Go: 1.23.0, 1.22.2, 1.21.3
      - Original fix: grpc/grpc-go#2970
      <https://github.com/grpc/grpc-go/pull/2970>)
   - gRPC-Java: 1.23.0, 1.22.2, 1.21.1
      - (These releases are currently available but may not be indexed on
      search.maven.org.)
      - Original fix: grpc/grpc-java#6056
      <https://github.com/grpc/grpc-java/pull/6056>
   - gRPC-C and wrapped languages: 1.23.0, 1.22.1
      - (Releases currently in progress.)
      - Original fix: grpc/grpc#19924
      <https://github.com/grpc/grpc/pull/19924>

We recommend updating to one of these releases as soon as possible.

--