For gRPC-Java, if you are using grpc-netty-shaded, it uses netty-tcnative that has boringssl statically linked which is old (current gRPC-Java depends on io.netty:netty-tcnative-boringssl-static:2.0.65 that builds and links <https://github.com/netty/netty-tcnative/blob/593db1e4ef822646ee3d209cefcfff021e3d4dba/boringssl-static/pom.xml#L55> from boringssl *chromium-stable <https://boringssl.googlesource.com/boringssl/+/refs/heads/chromium-stable>* dated Dec 2024).
To use OpenSSL on your machine via dynamic linking, you should use grpc-netty and not grpc-netty-shaded. Using OpenSSL can have more initial configuration issues, but can be useful if your OS's OpenSSL version is recent and kept up-to-date with security fixes. Instructions here <http://Using%20OpenSSL%20can%20have%20more%20initial%20configuration%20issues,%20but%20can%20be%20useful%20if%20your%20OS's%20OpenSSL%20version%20is%20recent%20and%20kept%20up-to-date%20with%20security%20fixes.%20OpenSSL%20is%20not%20included%20with%20tcnative,%20but%20instead%20is%20dynamically%20linked%20using%20your%20operating%20system's%20OpenSSL.> . On Tuesday, February 11, 2025 at 12:22:04 AM UTC Kate wrote: > Hi all, > > OpenSSL versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are susceptible > to CVE-2024-13176. > > As BoringSSL is forked from OpenSSL can you tell me if gRPC, which uses > BoringSSL is affected by this vulnerability and if so is there a plan to > fix it? > > Many thanks, > Kate > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/grpc-io/e0999cc0-6430-4c23-98cc-4aa0af95f02bn%40googlegroups.com.
