From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at
Cisco)" <adongare@cisco.com>
Cc: meta-virtualization@lists.yoctoproject.org, vchavda@cisco.com
Subject: Re: [meta-virtualization] [master] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246
Date: Wed, 3 Sep 2025 21:41:00 -0400 [thread overview]
Message-ID: <aLjuLJii7LPeOuoK@gmail.com> (raw)
In-Reply-To: <20250829052335.2162583-1-adongare@cisco.com>
merged to master-next
Bruce
In message: [meta-virtualization] [master] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246
on 28/08/2025 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Upstream Repository: https://github.com/grpc/grpc-go
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246
> Type: Security Fix
> CVE: CVE-2024-7246
> Score: 6.3 (Medium)
> Patch: https://github.com/grpc/grpc/issues/36245
>
> Analysis:
> -CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning
> issue found in the gRPC C-core implementation (grpc/grpc).
> -The vulnerability does not apply to the pure Go implementation
> (grpc-go) used in Yocto (meta-virtualization layer).
> -Marking as not-applicable-config (implementation difference).
> -The affected code path is not present in grpc-go.Hence ignoring the
> CVE for grpc-go.
>
> Reference:
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
> [2] https://github.com/grpc/grpc/issues/36245
> [3] Upstream gRPC release notes confirming fixed versions for gRPC
> C-core (not grpc-go).
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> recipes-devtools/go/grpc-go_git.bb | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
> index 839a4f9c..c2990869 100644
> --- a/recipes-devtools/go/grpc-go_git.bb
> +++ b/recipes-devtools/go/grpc-go_git.bb
> @@ -41,3 +41,8 @@ FILES:${PN} += " \
> # some CVEs are reported with "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*"
> # it's better to have false positives than false negatives
> CVE_PRODUCT += "grpc"
> +# CVE-2024-7246 is an HTTP/2 HPACK poisoning issue in gRPC C-core
> +# (C/C++ implementation, meta-openembedded).
> +# grpc-go (Go implementation in meta-virtualization) does not
> +# contain the affected HPACK code path.
> +CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
> --
> 2.44.1
>
prev parent reply other threads:[~2025-09-04 1:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 5:22 [meta-virtualization] [master] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-09-04 1:41 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLjuLJii7LPeOuoK@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=adongare@cisco.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vchavda@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.