[CVE] CVE-2023-32731: Vulnerability in GRPC

[marcalff]

Per:

• GHSA-cfgp-2977-2fmm
• [http2] Dont drop connections on metadata limit exceeded grpc/grpc#32309
• https://nvd.nist.gov/vuln/detail/CVE-2023-32731
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32731

gRPC - protobuf < 1.53.0 is vulnerable.

In opentelemetry-cpp, this affects the OTLP GRPC exporter.

Upgrade the build to support gRPC protobuf >= 1.53.0

[esigo]

Do we need to remove C++11 earlier?

[marcalff]

I don't think we need to drop C++11, but at least we should document the risks with using the OTLP GRPC exporter.

Using different exporters should not expose the issue, so a C++11 build is still viable.

[marcalff]

Fixed indirectly in opentelemetry-cpp 1.11.0 by PR #2163

Now that building with a more recent (non vulnerable) gRPC library is possible, the issue is resolved.