[meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched

[meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched

[Shubham Pushpkar]

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
Type: Security Advisory
CVE: CVE-2023-44487
Score: 7.5

Analysis:
- CVE fix is available at [1][2].
- Current grpc-go v1.59.0 source has the fix integrated.[3]
- So, marking this CVE as Patched.

Reference:
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-44487
[2] https://github.com/grpc/grpc-go/pull/6703
[3] https://github.com/grpc/grpc-go/commit/e88f12e0517d [v1.59.x]

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 recipes-devtools/go/grpc-go_git.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
index fdfc2307..0f52988d 100644
--- a/recipes-devtools/go/grpc-go_git.bb
+++ b/recipes-devtools/go/grpc-go_git.bb
@@ -48,3 +48,4 @@ CVE_PRODUCT += "grpc"
 # grpc-go (Go implementation in meta-virtualization) does not
 # contain the affected HPACK code path.
 CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
+CVE_STATUS[CVE-2023-44487] = "fixed-version: Fix for the vulnerability is already integrated as part of v1.59.x source."
-- 
2.44.0

Re: [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched

[Bruce Ashfield]

In message: [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched
on 05/09/2025 Shubham Pushpkar via lists.yoctoproject.org wrote:

> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
> Type: Security Advisory
> CVE: CVE-2023-44487
> Score: 7.5
> 
> Analysis:
> - CVE fix is available at [1][2].
> - Current grpc-go v1.59.0 source has the fix integrated.[3]
> - So, marking this CVE as Patched.

Same comment. Either the version is or isn't impacted, so why
are we marking this as patched.

Bruce

> 
> Reference:
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-44487
> [2] https://github.com/grpc/grpc-go/pull/6703
> [3] https://github.com/grpc/grpc-go/commit/e88f12e0517d [v1.59.x]
> 
> Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
> ---
>  recipes-devtools/go/grpc-go_git.bb | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
> index fdfc2307..0f52988d 100644
> --- a/recipes-devtools/go/grpc-go_git.bb
> +++ b/recipes-devtools/go/grpc-go_git.bb
> @@ -48,3 +48,4 @@ CVE_PRODUCT += "grpc"
>  # grpc-go (Go implementation in meta-virtualization) does not
>  # contain the affected HPACK code path.
>  CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
> +CVE_STATUS[CVE-2023-44487] = "fixed-version: Fix for the vulnerability is already integrated as part of v1.59.x source."
> -- 
> 2.44.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9376): https://lists.yoctoproject.org/g/meta-virtualization/message/9376
> Mute This Topic: https://lists.yoctoproject.org/mt/115082031/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>