Skip to content

Upgrade netty-tcnative to 2.0.61.Final #10260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 12, 2023
Merged

Upgrade netty-tcnative to 2.0.61.Final #10260

merged 1 commit into from
Jun 12, 2023

Conversation

ejona86
Copy link
Member

@ejona86 ejona86 commented Jun 9, 2023

This updates the version of boringssl and removes the dependency on APR. netty-tcnative 2.0.56.Final uses APR 1.7.0, so is in scope for CVE-2021-35940, CVE-2022-28331, and CVE-2022-24963. netty-tcnative is not actually vulnerable. The binary does not include apr_socket_sendv(), apr_encode_(), apr_pencode_(), apr_decode_(), apr_pdecode_(). The binary does include apr_time_exp_*() but it is unused code. Unfortunately --gc-sections wasn't used during compilation. apr_time_now() is used, but that just calls gettimeofday() and is not vulnerable.

There's no panic here, but this updates netty-tcnative just a few weeks before we would have ordinarily done so. Bumping the version makes life easier for everyone.

I plan to backport this for 1.56.0, hence I updated SECURITY.md as I did. There is some risk here as the APR removal did introduce some bugs. But it seems to have already stabilized and testing didn't reveal any issues (version 2.0.57 on Feb 2nd was the first release to remove APR).

@ejona86
Upgrade netty-tcnative to 2.0.61.Final
fbb2623 
This updates the version of boringssl and removes the dependency on APR.
netty-tcnative 2.0.56.Final uses APR 1.7.0, so is in scope for
CVE-2021-35940, CVE-2022-28331, and CVE-2022-24963. netty-tcnative is
not actually vulnerable. The binary does not include apr_socket_sendv(),
apr_encode_*(), apr_pencode_*(), apr_decode_*(), apr_pdecode_*(). The
binary does include apr_time_exp_*() but it is unused code.
Unfortunately --gc-sections wasn't used during compilation.
apr_time_now() is used, but that just calls gettimeofday() and is not
vulnerable.

There's no panic here, but this updates netty-tcnative just a few weeks
before we would have ordinarily done so. Bumping the version makes life
easier for everyone.
@ejona86 ejona86 added the TODO:backport PR needs to be backported. Removed after backport complete label Jun 9, 2023
@ejona86 ejona86 requested a review from sergiitk June 9, 2023 15:26
@ejona86
Copy link
Member Author

ejona86 commented Jun 12, 2023

@sergiitk, friendly ping

@ejona86 ejona86 merged commit 5754518 into grpc:master Jun 12, 2023
@ejona86 ejona86 deleted the netty-tcnative-2.0.61 branch June 12, 2023 18:01
@ejona86 ejona86 mentioned this pull request Jun 12, 2023
Merged
@ejona86 ejona86 removed the TODO:backport PR needs to be backported. Removed after backport complete label Jun 12, 2023
@ejona86 ejona86 mentioned this pull request Jun 13, 2023
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sergiitk sergiitk sergiitk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ejona86 @sergiitk