From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: "Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at
Cisco)" <adongare@cisco.com>
Cc: meta-virtualization@lists.yoctoproject.org, vchavda@cisco.com
Subject: Re: [meta-virtualization] [master] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246
Date: Wed, 3 Sep 2025 21:41:00 -0400 [thread overview]
Message-ID: <aLjuLJii7LPeOuoK@gmail.com> (raw)
In-Reply-To: <20250829052335.2162583-1-adongare@cisco.com>
merged to master-next
Bruce
In message: [meta-virtualization] [master] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246
on 28/08/2025 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote:
> From: Anil Dongare <adongare@cisco.com>
>
> Upstream Repository: https://github.com/grpc/grpc-go
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246
> Type: Security Fix
> CVE: CVE-2024-7246
> Score: 6.3 (Medium)
> Patch: https://github.com/grpc/grpc/issues/36245
>
> Analysis:
> -CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning
> issue found in the gRPC C-core implementation (grpc/grpc).
> -The vulnerability does not apply to the pure Go implementation
> (grpc-go) used in Yocto (meta-virtualization layer).
> -Marking as not-applicable-config (implementation difference).
> -The affected code path is not present in grpc-go.Hence ignoring the
> CVE for grpc-go.
>
> Reference:
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
> [2] https://github.com/grpc/grpc/issues/36245
> [3] Upstream gRPC release notes confirming fixed versions for gRPC
> C-core (not grpc-go).
>
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
> recipes-devtools/go/grpc-go_git.bb | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
> index 839a4f9c..c2990869 100644
> --- a/recipes-devtools/go/grpc-go_git.bb
> +++ b/recipes-devtools/go/grpc-go_git.bb
> @@ -41,3 +41,8 @@ FILES:${PN} += " \
> # some CVEs are reported with "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*"
> # it's better to have false positives than false negatives
> CVE_PRODUCT += "grpc"
> +# CVE-2024-7246 is an HTTP/2 HPACK poisoning issue in gRPC C-core
> +# (C/C++ implementation, meta-openembedded).
> +# grpc-go (Go implementation in meta-virtualization) does not
> +# contain the affected HPACK code path.
> +CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
> --
> 2.44.1
>
prev parent reply other threads:[~2025-09-04 1:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 5:22 [meta-virtualization] [master] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-09-04 1:41 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLjuLJii7LPeOuoK@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=adongare@cisco.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vchavda@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox