CVE-2024-47609

NameCVE-2024-47609
DescriptionTonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-tonic (PTS)sid, trixie0.10.2+dfsg-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-tonicsource(unstable)(not affected)

Notes

- rust-tonic <not-affected> (Only affects 0.12.2)
https://github.com/hyperium/tonic/security/advisories/GHSA-4jwc-w2hc-78qv
https://github.com/hyperium/tonic/issues/1897
https://rustsec.org/advisories/RUSTSEC-2024-0376.html
Introduced in https://github.com/hyperium/tonic/commit/c3be20c86e1a6dfa3523b2d77e8c503d0f5b2ce3 (v0.12.2)
Fixed in https://github.com/hyperium/tonic/commit/a4472a86f3290e60c7c01348b7e6a8164d6e7e48 (v0.12.3)
Search for package or bug name: Reporting problems