From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: spushpka@cisco.com
Cc: meta-virtualization@lists.yoctoproject.org, vchavda@cisco.com,
deeratho@cisco.com
Subject: Re: [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched
Date: Thu, 18 Sep 2025 22:15:13 -0400 [thread overview]
Message-ID: <aMy8sf5mcevGrEVg@gmail.com> (raw)
In-Reply-To: <20250905133553.1087661-1-spushpka@cisco.com>
In message: [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched
on 05/09/2025 Shubham Pushpkar via lists.yoctoproject.org wrote:
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
> Type: Security Advisory
> CVE: CVE-2023-44487
> Score: 7.5
>
> Analysis:
> - CVE fix is available at [1][2].
> - Current grpc-go v1.59.0 source has the fix integrated.[3]
> - So, marking this CVE as Patched.
Same comment. Either the version is or isn't impacted, so why
are we marking this as patched.
Bruce
>
> Reference:
> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-44487
> [2] https://github.com/grpc/grpc-go/pull/6703
> [3] https://github.com/grpc/grpc-go/commit/e88f12e0517d [v1.59.x]
>
> Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
> ---
> recipes-devtools/go/grpc-go_git.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
> index fdfc2307..0f52988d 100644
> --- a/recipes-devtools/go/grpc-go_git.bb
> +++ b/recipes-devtools/go/grpc-go_git.bb
> @@ -48,3 +48,4 @@ CVE_PRODUCT += "grpc"
> # grpc-go (Go implementation in meta-virtualization) does not
> # contain the affected HPACK code path.
> CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
> +CVE_STATUS[CVE-2023-44487] = "fixed-version: Fix for the vulnerability is already integrated as part of v1.59.x source."
> --
> 2.44.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9376): https://lists.yoctoproject.org/g/meta-virtualization/message/9376
> Mute This Topic: https://lists.yoctoproject.org/mt/115082031/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-09-19 2:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-05 13:35 [meta-virtualization] [Scarthgap] [PATCH] grpc-go 1.59.0+git: Mark CVE-2023-44487 as Patched Shubham Pushpkar
2025-09-19 2:15 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMy8sf5mcevGrEVg@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=deeratho@cisco.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=spushpka@cisco.com \
--cc=vchavda@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox