CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. It's not quite explicit but this appears to be fixed in 3.5.10 according to the changelog, by upgrading grpc-go: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3510-2023-10-27 Please bump to 3.5.10.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b760fba58a93c17e3eee678f2c5d961c08671772 commit b760fba58a93c17e3eee678f2c5d961c08671772 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-11-25 06:54:26 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-11-25 06:55:21 +0000 dev-db/etcd: add 3.4.28 Bug: https://bugs.gentoo.org/918419 Signed-off-by: Zac Medico <zmedico@gentoo.org> dev-db/etcd/Manifest | 2 ++ dev-db/etcd/etcd-3.4.28.ebuild | 79 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+)
I'm having some difficulty with a network-sandbox violation for 3.5.10, but 3.4.28 has the grpc 1.58.3 upgrade which was backported in https://github.com/etcd-io/etcd/pull/16999.
Indeed, thanks! Please stabilize when ready.
