Hi Kannan, Thank you for the reply. I forgot to say I am using gRPC C++ on Windows compiled with cmake.
Kate On Wednesday, 12 February 2025 at 06:27:00 UTC Kannan Jayaprakasam wrote: > For gRPC-Java, if you are using grpc-netty-shaded, it uses netty-tcnative > that has boringssl statically linked which is old (current gRPC-Java > depends on io.netty:netty-tcnative-boringssl-static:2.0.65 that builds > and links > <https://github.com/netty/netty-tcnative/blob/593db1e4ef822646ee3d209cefcfff021e3d4dba/boringssl-static/pom.xml#L55> > > from boringssl *chromium-stable > <https://boringssl.googlesource.com/boringssl/+/refs/heads/chromium-stable>* > dated > Dec 2024). > > To use OpenSSL on your machine via dynamic linking, you should use > grpc-netty and not grpc-netty-shaded. Using OpenSSL can have more initial > configuration issues, but can be useful if your OS's OpenSSL version is > recent and kept up-to-date with security fixes. Instructions here > <http://Using%20OpenSSL%20can%20have%20more%20initial%20configuration%20issues,%20but%20can%20be%20useful%20if%20your%20OS's%20OpenSSL%20version%20is%20recent%20and%20kept%20up-to-date%20with%20security%20fixes.%20OpenSSL%20is%20not%20included%20with%20tcnative,%20but%20instead%20is%20dynamically%20linked%20using%20your%20operating%20system's%20OpenSSL.> > . > > On Tuesday, February 11, 2025 at 12:22:04 AM UTC Kate wrote: > >> Hi all, >> >> OpenSSL versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are susceptible >> to CVE-2024-13176. >> >> As BoringSSL is forked from OpenSSL can you tell me if gRPC, which uses >> BoringSSL is affected by this vulnerability and if so is there a plan to >> fix it? >> >> Many thanks, >> Kate >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/grpc-io/8a37fdd6-8d10-46f9-aac3-de5057e6c879n%40googlegroups.com.
