diff options
| author | Anil Dongare <adongare@cisco.com> | 2025-08-28 22:22:27 -0700 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2025-09-03 21:40:45 -0400 |
| commit | 23dff61259191a203e92c2f766dccbe44e880aba (patch) | |
| tree | 053a6ccbab33406ab7c75608f94c7fc6cab4ddb5 /scripts/lib/wic/plugins/source | |
| parent | 17a69ce26e0a35790f07ad8ead7e325895db18ec (diff) | |
| download | meta-virtualization-23dff61259191a203e92c2f766dccbe44e880aba.tar.gz | |
grpc-go 1.59.0+git: Ignore CVE-2024-7246
Upstream Repository: https://github.com/grpc/grpc-go
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246
Type: Security Fix
CVE: CVE-2024-7246
Score: 6.3 (Medium)
Patch: https://github.com/grpc/grpc/issues/36245
Analysis:
-CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning
issue found in the gRPC C-core implementation (grpc/grpc).
-The vulnerability does not apply to the pure Go implementation
(grpc-go) used in Yocto (meta-virtualization layer).
-Marking as not-applicable-config (implementation difference).
-The affected code path is not present in grpc-go.Hence ignoring the
CVE for grpc-go.
Reference:
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
[2] https://github.com/grpc/grpc/issues/36245
[3] Upstream gRPC release notes confirming fixed versions for gRPC
C-core (not grpc-go).
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat (limited to 'scripts/lib/wic/plugins/source')
0 files changed, 0 insertions, 0 deletions