From patchwork Thu Jun 4 14:39:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 89320 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC540CD6E6D for ; Thu, 4 Jun 2026 14:40:14 +0000 (UTC) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13211.1780584013338227250 for ; Thu, 04 Jun 2026 07:40:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Xc8WuM8z; spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: sudumbha@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=991; q=dns/txt; s=iport01; t=1780584013; x=1781793613; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=Vnu+fyjf9BLl1lH3Vv/ntQpanqhqpVVHjPqtLFehH+0=; b=Xc8WuM8zHp76bZLwfW2e4B9BXO0GsKc8+int+uHAr4wN8P5i93AOyS/9 UnZPKFAihpSkoWuKSvhyy2NQWciPC0N8SqTvPN+59v6HAdXLMFFi0MTBE d9Isa4CwEUFAjBAZVWws/Xm82qrrdse8bWGwSAzZ4J6eXIZUeQJdImJtD 5dgfGHe7qpkif/fd1Yrcqqpn2mJQ85KeB0l21M/S/6xWH9F09YXZr/n4O Hr44gQ38tUHEw1EB8/ErRAFUVu7v5C1h+3RFiMCKAv7mcraqgTuNaLMye Ts1HaBQrX6cpud1P+Vy06lU1z+B+tpcjhcKDQ0es1s/BWVCAD6uBDLj6P A==; X-CSE-ConnectionGUID: +bF70zP8S9qpA6wKxbuMcQ== X-CSE-MsgGUID: p+CNt2tRS3iLw0S97MLojg== X-IPAS-Result: A0BAAgACjSFq/4r/Ja1aglmCV3RfQkmUKqA/gX4PAQEBDz0UBAEBkjsCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2HEwEYAV1cRIMCAYJzAgERshuCLIEBgygBPwJDUNsqAQsUAYE4hT+IHXMBhHsnGxuBcoEVg2iBBYFcAQGCLYV3BIIigQyQVUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYFKgUlqgQKFEiMfAzmBF4F8gShpaRUxRQMLGA1IESw3FBsEPm4HjCgXD4I3gQ4sBKgeoQ4KKIN0jCGVOhozqmsLmHuOCZVmaYRogWg8gUcLB3AVgyIJShkPjjgng0SBf8UxJDUCOwEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:TZBdpauOMtLGCCnzFTmyKcy16+fnVAZfMUV32f8akzHdYApBsoF/q tZmKWyEPqmKZGCnfYsnao239EICsJLcmtZlQQBkr3w2RXkXgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFZDdJ5xYuajhKs/zb9Es21BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIwuexZXjlcz awjeSkVR06cpPK83Zewc7w57igjBJGD0II3oHpsy3TdSP0hW52GG/yM7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwxHYH49tL/Aan3XaCBUtVefpaMf6GnIxws327/oWDbQUoDbHZ8NwxzD+ goq+UzhQTo8KIaD8wHe81az3tSewgbfX4AdQejQGvlCxQf7KnYoIBoOWF22pPO0hkKzV5dTJ lIZ/gIqrLMu7wqsVtT7UhiyrXKIsxJaXMBfe9DW8ymXwabSpgLcDW8eQ3sZMZottdQ9Qnoh0 Vrhc87VOAGDeYa9ERq1nop4ZxvrUcTJBQfuvRM5cDY= IronPort-HdrOrdr: A9a23:xvIuzqAfnIliUVDlHemc55DYdb4zR+YMi2TDsHoBKyC9Hfb3qy nDppkmPHzP+VUssQ8b+OxoUZPoKRi3yXcf2+Ys1NmZMDUOwFHJEKhSqa3/3jbnByryssRZ1a tmbuxCLeeYNykesS4/izPIdOrJB7K8gcSVuds= X-Talos-CUID: 9a23:/D1b1mCsyUitV0v6E2pt2hFMCPh1SSzE1F6OPGyoA3tMQ4TAHA== X-Talos-MUID: 9a23:CUdp5gWPqTYkOkLq/Cevrxd+bttS2P+vLF9VqsRZnu2DNyMlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,187,1774310400"; d="scan'208";a="490205234" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 04 Jun 2026 14:40:12 +0000 Received: from sjc-ads-12007.cisco.com (sjc-ads-12007.cisco.com [171.70.97.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 75F19180001C7 for ; Thu, 4 Jun 2026 14:40:12 +0000 (GMT) Received: by sjc-ads-12007.cisco.com (Postfix, from userid 1840713) id 1E143CB6A93; Thu, 4 Jun 2026 07:40:12 -0700 (PDT) From: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Subject: [oe][meta-python][scarthgap][PATCH 1/3] python3-grpcio-tools: set status for CVE-2026-33186 Date: Thu, 4 Jun 2026 07:39:05 -0700 Message-Id: <20260604143907.2864663-1-sudumbha@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-12007.cisco.com [171.70.97.7];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.97.7, sjc-ads-12007.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Jun 2026 14:40:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127399 From: Sudhir Dumbhare The vulnerability only affects the Go implementation of the library, not the Python one. Ignore this CVE due to this. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-33186 https://github.com/advisories/GHSA-p77j-4mvh-x3m3 Signed-off-by: Sudhir Dumbhare --- .../recipes-devtools/python/python3-grpcio-tools_1.62.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb index 7f842c01a9..9f14d2e4b5 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb @@ -23,3 +23,5 @@ do_compile:prepend() { BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT += "grpc:grpc" + +CVE_STATUS[CVE-2026-33186] = "cpe-incorrect: this CVE is for golang version of grpc" From patchwork Thu Jun 4 14:39:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 89321 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88A55CD6E4A for ; Thu, 4 Jun 2026 14:41:04 +0000 (UTC) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13228.1780584063772843336 for ; Thu, 04 Jun 2026 07:41:04 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=dhJxY9Xa; spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: sudumbha@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1554; q=dns/txt; s=iport01; t=1780584063; x=1781793663; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=ogeyxYtyHnktIahoU7a7F3ENSw/1ilKQzVv/Ep21DWc=; b=dhJxY9Xabtk/lBio8mJdk6xBdcwEImAr3CmvIVYEecmw5VGUXJl3BbQa TND960/pwhPtAKWql1P9H3biqYdzBg8YEF+0JW8v2wk0tpWxSQlaoQecK rz6kOrlbjbmIbOY3h+ymjmVjaRFBJ2Nbvz0tjUqdKxmOEO+rY+YtbKsQP jgsZnQrVfdKzHl803kREP2JiDe8u8YOh0T7Y956PdBxVbkjIr76qPyxgJ kvjrsPwZzfu+of5pAV2/VZs4CRmco6aT12Krek+0bN0qvnkPpAalTDHaz NnhDpBcQyXgVHYqyCKG/Xid3SmNaETxjyvyFUnL4huJtD6fj/d+aCqZd0 g==; X-CSE-ConnectionGUID: znVeGVlERZOsUflYmoFKXg== X-CSE-MsgGUID: UwAriXXKT8aKJe+2saEC3w== X-IPAS-Result: A0D6AgB/jSFq/4z/Ja1aglmCV3RfQkmUKoIknhuBfg8BAQEPRA0EAQGFBgKNMwImNgcOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgEYAT0gMSsrGYMCAYJzAgERsh6CLIEBgygBMQUJAkNQ2yoBCxQBgTiFP4gdcwGEeycbG4FyhH2BBYFcAQECGIIThXcEgiKBDJBVSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgUqBSWqBAoUSIx8DOYEXgXyBKGlpFTFFAwsYDUgRLDcUGwQ+bgeMKBcPgjd7EyyBGKcKoQ4KKIN0jCGVOhozqmuZBo4JlWZphGiBbwUwgUcLB3AVgyIJShkPjjgng0SBf8UxJDUCCTIBAQcCBw4DC4FokX0BAQ IronPort-Data: A9a23:WVzmSarIKALyxWeI2SnOO55INQ9eBmJIZBIvgKrLsJaIsI4StFCzt garIBmAOauIN2P9KIwlO4i/904Bu5Pcm4VgHlBp+CAyFiMa8+PIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgPNNwJcaDpOtfrd8E835ZwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0vRxP2xhy /g1EgIqdS2Ng9Ozx5yYeuY506zPLOGzVG8ekmtrwTecCbMtRorOBv2Ro9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LUPrSn8/w7pX7WyZFpE+Qr6o+y2PS1wd2lrPqNbI5f/TWFZUExxbI/ jyuE2LRPw4zLt2v+Rm5onuPpOKMxzjydalJC+jtnhJtqBjJroAJMzURTVa9rPyzh0KyVt4aJ 0EK9y4Gqakp6FftScHwWRC9qnOIshMQHd1KHIUHBBql0KHY5UOdQ2MDVDMEMIdgv84tTjts3 ViM9z/0OQFSXHSuYSr13t+pQfmaYED58Udqifc4cDY4 IronPort-HdrOrdr: A9a23:gh2sHKCenfVYXy3lHemA55DYdb4zR+YMi2TDsHoBLSC9Hfb3qy nDppkmPFrP+VUssRIb6LW90de7IE80nKQdieJ6AV7hZniFhILCFu5fBOXZrwEIYxefysdtkY F9bqN5FNr8SXJ+jcr8/U2ENuxI+qjhzEht7t2utkuEimpRGsdd0zs= X-Talos-CUID: 9a23:t1U9FWpAfb3cc4kQ+lFfAOLmUdIjTHDy8nP9GX2fEltnTIyQTnGzyKwxxg== X-Talos-MUID: 9a23:+ugYIQgsVw4RRK78nC3VgMMpCdhB+aWeOGMxwZwlmcTHbzd5FhzGk2Hi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,187,1774310400"; d="scan'208";a="488918806" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 04 Jun 2026 14:41:02 +0000 Received: from sjc-ads-12007.cisco.com (sjc-ads-12007.cisco.com [171.70.97.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id C5FB01800063A for ; Thu, 4 Jun 2026 14:41:02 +0000 (GMT) Received: by sjc-ads-12007.cisco.com (Postfix, from userid 1840713) id 73C65CB6A93; Thu, 4 Jun 2026 07:41:02 -0700 (PDT) From: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Subject: [oe][meta-python][scarthgap][PATCH 2/3] python3-grpcio-tools: set status for CVE-2024-7246 Date: Thu, 4 Jun 2026 07:39:07 -0700 Message-Id: <20260604143907.2864663-2-sudumbha@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260604143907.2864663-1-sudumbha@cisco.com> References: <20260604143907.2864663-1-sudumbha@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-12007.cisco.com [171.70.97.7];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.97.7, sjc-ads-12007.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Jun 2026 14:41:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127400 From: Sudhir Dumbhare Analysis: - CVE-2024-7246 [4] affects gRPC-C++ CHTTP2 HPACK parser error handling. - The upstream fix from v1.62.3 [1] modifies gRPC core runtime source src/core/ext/transport/chttp2/transport/hpack_parser.cc. aligned with the original fix in v1.60.2 [2] as referenced in [3]. - python3-grpcio-tools does not include or compile this runtime source. - Hence CVE-2024-7246 is not applicable to python3-grpcio-tools. [1] https://github.com/grpc/grpc/commit/1d172cfca56440889ca32ae516b8c2767321f5b5 [2] https://github.com/grpc/grpc/commit/88b1244fd43e81860baa60cc7fb3945a2cca0d11 [3] https://bugzilla.suse.com/show_bug.cgi?id=1228919 [4] https://nvd.nist.gov/vuln/detail/CVE-2024-7246 Signed-off-by: Sudhir Dumbhare --- .../recipes-devtools/python/python3-grpcio-tools_1.62.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb index 9f14d2e4b5..63abf6e3cf 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb @@ -25,3 +25,4 @@ BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT += "grpc:grpc" CVE_STATUS[CVE-2026-33186] = "cpe-incorrect: this CVE is for golang version of grpc" +CVE_STATUS[CVE-2024-7246] = "not-applicable-config: the vulnerable gRPC C-core HPACK parser code is not present in grpcio-tools" From patchwork Thu Jun 4 14:39:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 89322 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B86DCD6E78 for ; Thu, 4 Jun 2026 14:41:34 +0000 (UTC) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.13229.1780584087846696698 for ; Thu, 04 Jun 2026 07:41:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=XlZEcXux; spf=pass (domain: cisco.com, ip: 173.37.86.77, mailfrom: sudumbha@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1454; q=dns/txt; s=iport01; t=1780584087; x=1781793687; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=EJlcH0C7f3DT3Da40B5/qenTu+SmdZe33VdgpJ4zeWU=; b=XlZEcXux7toX/ng1eYU8GXpWBcAhKIE+gfB8IIjcKu5Mq1s9pReRyWeV METJG0a2zn+vCqnhUO+JcAoHFKNxTEVtfNldwwKjV0OfbwvxpbJx1ru66 ZCa2/B1N5LKnME1duFD8NAIG7/S3kitfX3neXfFPTFOpbyQfies15JHki uAk87QCxQHljCFtALnHBYBoh/h8WGUwc+KFuVaePRXhy8Mp90J36tri+r yFfOe/j2izcrn7QBfKwp+ScH9ZZyvCdHZ3Oth1Zi6HjGhbBR7KtWoIgvd JRYt8M9e/pwvIw5DDZ1N5S1U04siUIlcLWa80Zeu8L+bel0PUGR0+KCI/ g==; X-CSE-ConnectionGUID: 7dJkcrxURF6BFzvXyxST0Q== X-CSE-MsgGUID: YUvvcCl/QG+TN4T7Qp5fpw== X-IPAS-Result: A0DGAgACjSFq/4z/Ja1aglmCV3RfQkmUKoIknhuBfg8BAQEPRA0EAQGFBgKNMwImNQgOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgEYAT0gMSsrGYMCAYJzAgERshuCLIEBgygBPwJDUNsqAQsUAYE4hT+IHXMBhHsnGxuBcoR9gQWBXAEBgUhlhXcEgiKBDJBVSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgUqBSWqBAoUSIx8DOYEXgXyBKGlpFTFFAwsYDUgRLDcUGwQ+bgeMKBcPgjcxXSyoIqEOCiiDdIwhlToaM6prC5h7jgmVZmmEaIFqAzeBRwsHcBWDIglKGQ+OOCeDRIF/xTEkNQIJMgEBBwIHDgMLgWiRfQEB IronPort-Data: A9a23:UkENZKjKZ4nm7ZyszSXKbx9dX161MBEKZh0ujC45NGQN5FlHY01je htvDzyEP6uLN2b2L410Poiz9koP78OEmoVgS1A/rXg1RCJjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeDULOZ82QsaDxMtfrf8EoHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqVH9sR0Cntey MY2dhojfA6zlvKN/OqCH7wEasQLdKEHPasFsX1miDWcBvE8TNWbGOPB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZg9/5JEWxI9EglHkbjFFrViVrII84nPYy0p6172F3N/9JozbFZgPzxbJz o7A11XEHA8RH9jY8BXGzlTwurD2hX71QJ1HQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHt5SN UEQ0i4vtrQpskuzQ9/wWhe1rHKJslgbQdU4LgEhwBuGxqyR50OSAXIJC2YaLtcnr8QxAzct0 zdlgu/UONCmi5XNIVr1y1tehWra1fQ9RYPaWRI5cA== IronPort-HdrOrdr: A9a23:k+7u/6iwfxnaMO2VmueaXispAHBQXvYji2hC6mlwRA09TyX+rb HLoB1173HJYVoqNU3I3OrwW5VoIkmskKKdn7NxAV7KZmCP0wGVxcNZnOnfKlbbdBEWmNQw6U 4ZSchDIey1K0RmhsDn5wT9OdMhzN6btJ2Mv47lvhBQpcUAUdAY0++/YTzrdHFLeA== X-Talos-CUID: 9a23:Oe5YcmMCURirVe5DByVF90UOCv0fXCP34mXOE16oMloxcejA X-Talos-MUID: 9a23:dIIjUQ0ZTK2qRc/iZ2D12pGxdjUj0pmwFksmldI/lIq4E3BMZA6F0TqvXdpy X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.24,187,1774310400"; d="scan'208";a="489852989" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by rcdn-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 04 Jun 2026 14:41:27 +0000 Received: from sjc-ads-12007.cisco.com (sjc-ads-12007.cisco.com [171.70.97.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ciscoit-managed-infra-smtp-auth.cisco.com", Issuer "Internal Private TLS SubCA" (verified OK)) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id E5B6E18000617 for ; Thu, 4 Jun 2026 14:41:26 +0000 (GMT) Received: by sjc-ads-12007.cisco.com (Postfix, from userid 1840713) id 936B5CB6A93; Thu, 4 Jun 2026 07:41:26 -0700 (PDT) From: "Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-devel@lists.openembedded.org Subject: [oe][meta-python][scarthgap][PATCH 3/3] python3-grpcio-tools: set status for CVE-2024-11407 Date: Thu, 4 Jun 2026 07:39:09 -0700 Message-Id: <20260604143907.2864663-3-sudumbha@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260604143907.2864663-1-sudumbha@cisco.com> References: <20260604143907.2864663-1-sudumbha@cisco.com> MIME-Version: 1.0 X-Outbound-Client-TLS: VERIFIED;sjc-ads-12007.cisco.com [171.70.97.7];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com X-Outbound-SMTP-Client: 171.70.97.7, sjc-ads-12007.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Jun 2026 14:41:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127401 From: Sudhir Dumbhare Analysis: - CVE-2024-11407 [1] affects gRPC-C++ servers with transmit zero copy enabled. - The upstream fix modifies gRPC core runtime source src/core/lib/event_engine/posix_engine/posix_endpoint.cc [2]. - python3-grpcio-tools does not include or compile this runtime source. - Hence CVE-2024-11407 is not applicable to python3-grpcio-tools. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-11407 [2] https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 Signed-off-by: Sudhir Dumbhare --- .../recipes-devtools/python/python3-grpcio-tools_1.62.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb index 63abf6e3cf..71cabf0d01 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio-tools_1.62.2.bb @@ -26,3 +26,4 @@ CVE_PRODUCT += "grpc:grpc" CVE_STATUS[CVE-2026-33186] = "cpe-incorrect: this CVE is for golang version of grpc" CVE_STATUS[CVE-2024-7246] = "not-applicable-config: the vulnerable gRPC C-core HPACK parser code is not present in grpcio-tools" +CVE_STATUS[CVE-2024-11407] = "not-applicable-config: CVE affects gRPC C++ server zero-copy transport code, which is not present in grpcio-tools"