Hi Matt, Yes, that is a typo in the email description, I don't know how/if I can correct it.
Luckily the email body is correct. Thank you for your response, that is great news. we don't want to build gRPC with OpenSSL so if BoringSSL is not affected then we can continue as we are. Thanks again, Kate On Thursday, 13 February 2025 at 14:53:39 UTC Matthew Stevenson wrote: > Hi Kate, > > The CVE in the email description (CVE-2024-12176) is different than the > CVE from the email body (CVE-2024-13176). I'm assuming the question is > about the latter, as it is the one that would apply to the SSL libraries. > > BoringSSL is not affected by CVE-2024-13176. > > As you point out, there are OpenSSL versions that are affected by > CVE-2024-13176. If you choose to build gRPC-C++ with OpenSSL, then you may > be affected, depending on your OpenSSL version. > > Best, > Matt > > On Wednesday, February 12, 2025 at 10:18:49 AM UTC-5 Kate wrote: > >> Hi Kannan, >> >> Thank you for the reply. I forgot to say I am using gRPC C++ on Windows >> compiled with cmake. >> >> Kate >> >> On Wednesday, 12 February 2025 at 06:27:00 UTC Kannan Jayaprakasam wrote: >> >>> For gRPC-Java, if you are using grpc-netty-shaded, it uses >>> netty-tcnative that has boringssl statically linked which is old (current >>> gRPC-Java depends on io.netty:netty-tcnative-boringssl-static:2.0.65 that >>> builds >>> and links >>> <https://github.com/netty/netty-tcnative/blob/593db1e4ef822646ee3d209cefcfff021e3d4dba/boringssl-static/pom.xml#L55> >>> >>> from boringssl *chromium-stable >>> <https://boringssl.googlesource.com/boringssl/+/refs/heads/chromium-stable>* >>> dated >>> Dec 2024). >>> >>> To use OpenSSL on your machine via dynamic linking, you should use >>> grpc-netty and not grpc-netty-shaded. Using OpenSSL can have more initial >>> configuration issues, but can be useful if your OS's OpenSSL version is >>> recent and kept up-to-date with security fixes. Instructions here >>> <http://Using%20OpenSSL%20can%20have%20more%20initial%20configuration%20issues,%20but%20can%20be%20useful%20if%20your%20OS's%20OpenSSL%20version%20is%20recent%20and%20kept%20up-to-date%20with%20security%20fixes.%20OpenSSL%20is%20not%20included%20with%20tcnative,%20but%20instead%20is%20dynamically%20linked%20using%20your%20operating%20system's%20OpenSSL.> >>> . >>> >>> On Tuesday, February 11, 2025 at 12:22:04 AM UTC Kate wrote: >>> >>>> Hi all, >>>> >>>> OpenSSL versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are >>>> susceptible to CVE-2024-13176. >>>> >>>> As BoringSSL is forked from OpenSSL can you tell me if gRPC, which uses >>>> BoringSSL is affected by this vulnerability and if so is there a plan to >>>> fix it? >>>> >>>> Many thanks, >>>> Kate >>>> >>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/grpc-io/9cfdff13-b745-4013-95f0-4b1fd237caf6n%40googlegroups.com.
