There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
Created flatbuffers tracking bugs for this issue: Affects: fedora-all [bug 2214475] Created grpc tracking bugs for this issue: Affects: fedora-all [bug 2214474] Affects: openstack-rdo [bug 2214476]
Initial analysis in https://bugzilla.redhat.com/show_bug.cgi?id=2214474#c2. TLDR: It doesn’t look like the fix can be reliably backported to the packaged version; updating to a new enough version in Rawhide will require protobuf to be updated to 4.x (22.x/23.x), which is desirable but will probably impact a lot of packages; and updating to a new enough version in F38/F37/EPEL9 will not be possible due to the protobuf 4.x requirement and because the update would be ABI- and API-incompatible. I’ve closed the flatbuffers bug because I verified that flatbuffers doesn’t bundle any of the grpc source files that were changed upstream to fix this issue. https://bugzilla.redhat.com/show_bug.cgi?id=2214475#c2
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:10761 https://access.redhat.com/errata/RHSA-2024:10761