* [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched @ 2025-09-05 13:35 Shubham Pushpkar 2025-09-19 2:15 ` Bruce Ashfield 0 siblings, 1 reply; 2+ messages in thread From: Shubham Pushpkar @ 2025-09-05 13:35 UTC (permalink / raw) To: meta-virtualization; +Cc: vchavda, deeratho Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 Type: Security Advisory CVE: CVE-2023-44487 Score: 7.5 Analysis: - CVE fix is available at [1][2]. - Current grpc-go v1.59.0 source has the fix integrated.[3] - So, marking this CVE as Patched. Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2023-44487 [2] https://github.com/grpc/grpc-go/pull/6703 [3] https://github.com/grpc/grpc-go/commit/e88f12e0517d [v1.59.x] Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> --- recipes-devtools/go/grpc-go_git.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb index fdfc2307..0f52988d 100644 --- a/recipes-devtools/go/grpc-go_git.bb +++ b/recipes-devtools/go/grpc-go_git.bb @@ -48,3 +48,4 @@ CVE_PRODUCT += "grpc" # grpc-go (Go implementation in meta-virtualization) does not # contain the affected HPACK code path. CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go." +CVE_STATUS[CVE-2023-44487] = "fixed-version: Fix for the vulnerability is already integrated as part of v1.59.x source." -- 2.44.0 ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched 2025-09-05 13:35 [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched Shubham Pushpkar @ 2025-09-19 2:15 ` Bruce Ashfield 0 siblings, 0 replies; 2+ messages in thread From: Bruce Ashfield @ 2025-09-19 2:15 UTC (permalink / raw) To: spushpka; +Cc: meta-virtualization, vchavda, deeratho In message: [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched on 05/09/2025 Shubham Pushpkar via lists.yoctoproject.org wrote: > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 > Type: Security Advisory > CVE: CVE-2023-44487 > Score: 7.5 > > Analysis: > - CVE fix is available at [1][2]. > - Current grpc-go v1.59.0 source has the fix integrated.[3] > - So, marking this CVE as Patched. Same comment. Either the version is or isn't impacted, so why are we marking this as patched. Bruce > > Reference: > [1] https://nvd.nist.gov/vuln/detail/CVE-2023-44487 > [2] https://github.com/grpc/grpc-go/pull/6703 > [3] https://github.com/grpc/grpc-go/commit/e88f12e0517d [v1.59.x] > > Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> > --- > recipes-devtools/go/grpc-go_git.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb > index fdfc2307..0f52988d 100644 > --- a/recipes-devtools/go/grpc-go_git.bb > +++ b/recipes-devtools/go/grpc-go_git.bb > @@ -48,3 +48,4 @@ CVE_PRODUCT += "grpc" > # grpc-go (Go implementation in meta-virtualization) does not > # contain the affected HPACK code path. > CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go." > +CVE_STATUS[CVE-2023-44487] = "fixed-version: Fix for the vulnerability is already integrated as part of v1.59.x source." > -- > 2.44.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9376): https://lists.yoctoproject.org/g/meta-virtualization/message/9376 > Mute This Topic: https://lists.yoctoproject.org/mt/115082031/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-19 2:15 UTC | newest] Thread overview: 2+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-09-05 13:35 [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched Shubham Pushpkar 2025-09-19 2:15 ` Bruce Ashfield
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.