OESA-2024-2064

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2064
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-2064.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-2064
Upstream
Published
2024-08-30T11:08:58Z
Modified
2025-08-12T05:48:05.283227Z
Summary
grpc security update
Details

gRPC is a modern open source high performance RPC framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services.

Security Fix(es):

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.

This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.

Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.(CVE-2024-7246)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:24.03-LTS / grpc

Package

Name
grpc
Purl
pkg:rpm/openEuler/grpc&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.60.0-4.oe2403

Ecosystem specific 

{
    "src": [
        "grpc-1.60.0-4.oe2403.src.rpm"
    ],
    "x86_64": [
        "grpc-1.60.0-4.oe2403.x86_64.rpm",
        "grpc-debuginfo-1.60.0-4.oe2403.x86_64.rpm",
        "grpc-debugsource-1.60.0-4.oe2403.x86_64.rpm",
        "grpc-devel-1.60.0-4.oe2403.x86_64.rpm",
        "grpc-plugins-1.60.0-4.oe2403.x86_64.rpm",
        "python3-grpcio-1.60.0-4.oe2403.x86_64.rpm"
    ],
    "aarch64": [
        "grpc-1.60.0-4.oe2403.aarch64.rpm",
        "grpc-debuginfo-1.60.0-4.oe2403.aarch64.rpm",
        "grpc-debugsource-1.60.0-4.oe2403.aarch64.rpm",
        "grpc-devel-1.60.0-4.oe2403.aarch64.rpm",
        "grpc-plugins-1.60.0-4.oe2403.aarch64.rpm",
        "python3-grpcio-1.60.0-4.oe2403.aarch64.rpm"
    ]
}