Hi Kate, The CVE in the email description (CVE-2024-12176) is different than the CVE from the email body (CVE-2024-13176). I'm assuming the question is about the latter, as it is the one that would apply to the SSL libraries.
BoringSSL is not affected by CVE-2024-13176. As you point out, there are OpenSSL versions that are affected by CVE-2024-13176. If you choose to build gRPC-C++ with OpenSSL, then you may be affected, depending on your OpenSSL version. Best, Matt On Wednesday, February 12, 2025 at 10:18:49 AM UTC-5 Kate wrote: > Hi Kannan, > > Thank you for the reply. I forgot to say I am using gRPC C++ on Windows > compiled with cmake. > > Kate > > On Wednesday, 12 February 2025 at 06:27:00 UTC Kannan Jayaprakasam wrote: > >> For gRPC-Java, if you are using grpc-netty-shaded, it uses netty-tcnative >> that has boringssl statically linked which is old (current gRPC-Java >> depends on io.netty:netty-tcnative-boringssl-static:2.0.65 that builds >> and links >> <https://github.com/netty/netty-tcnative/blob/593db1e4ef822646ee3d209cefcfff021e3d4dba/boringssl-static/pom.xml#L55> >> >> from boringssl *chromium-stable >> <https://boringssl.googlesource.com/boringssl/+/refs/heads/chromium-stable>* >> dated >> Dec 2024). >> >> To use OpenSSL on your machine via dynamic linking, you should use >> grpc-netty and not grpc-netty-shaded. Using OpenSSL can have more initial >> configuration issues, but can be useful if your OS's OpenSSL version is >> recent and kept up-to-date with security fixes. Instructions here >> <http://Using%20OpenSSL%20can%20have%20more%20initial%20configuration%20issues,%20but%20can%20be%20useful%20if%20your%20OS's%20OpenSSL%20version%20is%20recent%20and%20kept%20up-to-date%20with%20security%20fixes.%20OpenSSL%20is%20not%20included%20with%20tcnative,%20but%20instead%20is%20dynamically%20linked%20using%20your%20operating%20system's%20OpenSSL.> >> . >> >> On Tuesday, February 11, 2025 at 12:22:04 AM UTC Kate wrote: >> >>> Hi all, >>> >>> OpenSSL versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are >>> susceptible to CVE-2024-13176. >>> >>> As BoringSSL is forked from OpenSSL can you tell me if gRPC, which uses >>> BoringSSL is affected by this vulnerability and if so is there a plan to >>> fix it? >>> >>> Many thanks, >>> Kate >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/grpc-io/11c78dac-0989-4822-b75c-10b3c3d2393bn%40googlegroups.com.
