CVE-2024-47609

Publication date 1 October 2024

Last updated 3 October 2024

Ubuntu priority

Description

Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-tonic	25.10 questing	Needs evaluation
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-47609
https://github.com/hyperium/tonic/security/advisories/GHSA-4jwc-w2hc-78qv
https://github.com/hyperium/tonic/issues/1897
https://rustsec.org/advisories/RUSTSEC-2024-0376.html
https://github.com/hyperium/tonic/commit/a4472a86f3290e60c7c01348b7e6a8164d6e7e48