On 1/16/23 6:53 AM, Valek, Andrej wrote:
Hi all,
The reason, why I'm asking especially like this, is that the problem is
inside the bundled zlib library. The "official" solution for fixing
(https://nvd.nist.gov/vuln/detail/CVE-2022-37434) is to update the
bundled zlib (https://github.com/grpc/grpc/pull/31595) library, which
shouldn't be done with easy patch, I guess.
So how to proceed with that?
The gRPC folks did backport the fix to 1.46.6.
The zlib version in 1.45.2 appears to be 1.2.11 and the version updated
to fix the CVE is 1.2.13. But that would then be an untested configuration.
Giving this a bit more thought, I think the cleanest path forward it to
update to 1.46.6. It appears to have 257 changes and seems to be still
active.
- armin
Regards,
Andrej
On Wed, 2023-01-11 at 21:24 -0500, Randy MacLeod via
lists.openembedded.org wrote:
On 2023-01-11 13:27, Khem Raj via lists.openembedded.org wrote:
On Wed, Jan 11, 2023 at 10:07 AM Steve Sakoman <st...@sakoman.com>
wrote:
Hi Andrej,
I'm the maintainer for openembedded-core, and gRPC is in
meta-openmebedded. So this isn't my call to make.
However we typically only take version bumps if they are
security/bug
fix only releases. So if this is the case, you can submit a patch.6
But please be sure to include either release notes or change log so
the meta-openembedded maintainer can verify that it is suitable for
a
stable release.
Thanks Steve, policy is same for all OE layers. I will wait for Armin
( Release Maintainer for meta-openembedded )
take the final call.
I vote for no update based on a quickish look.
Armin,
To save you some review, see the data below that indicates that there's
an appartly stable release maintenance scheme and
1.50.x is > 1200 commits ahead and *likely* breaks ABI.
Andrei,
Is your CVE covered by any fixes on the stable release?
If not, best to get it merged upstream in addition to backporting
the fix as a patch in meta-oe.
../Randy
$ git clone https://github.com/grpc/grpc.git
$ cd gprc
$ git log --oneline v1.45.2..v1.50.1 | wc -l
1259
$ git diff v1.45.2..v1.50.1 | diffstat | tail -1
3763 files changed, 198007 insertions(+), 213762 deletions(-)
$ git checkout v1.45.x
...
# oh, I forgot to show the stable branches:
$ git branch -a | rg v1.[45][0-9]
* v1.45.x
remotes/origin/v1.40.x
remotes/origin/v1.41.x
remotes/origin/v1.42.x
remotes/origin/v1.43.x
remotes/origin/v1.44.x
remotes/origin/v1.45.x
remotes/origin/v1.46.x
remotes/origin/v1.47.x
remotes/origin/v1.48.x
remotes/origin/v1.49.x
remotes/origin/v1.50.x
remotes/origin/v1.51.x
# What's not included in our 1.45.2?
$ git log --oneline v1.45.2...
4af1fe173d (HEAD -> v1.45.x, origin/v1.45.x) xDS interop: resume
circuit_breaking test (#32038) (#32056)
60863b633e [CPP] xDS interop GCE framework: pin grpcio-tools to use
protobuf 3.x (#31214) (#31221)
0a1c8d3c5c xDS interop GCE framework: pin grpcio-tools to use protobuf
3.x (#31191) (#31201)
129dd25c33 xDS interop: buildscripts: fix run_test return status
(#30768) (#30879)
(#30735) (#30860)
d19a439577 xDS interop: Python LB tests build and use the python server
(#30637) (#30658)
(#30520) (#30532)
12df388e8b xds interop: choose correct cluster in
grpc_xds_k8s_lb_python.sh (#30309) (#30332)
ea0f9b29f7 xds-k8s jobs: standardize TESTING_VERSION (#30027) (#30050)
14afb3a3ea Disable layering check for Objective-C (#29375)
# When were those commits made?
$ git log v1.45.2... | rg Date:
Date: Tue Jan 10 13:35:42 2023
Date: Mon Oct 3 15:23:06 2022
Date: Mon Oct 3 13:35:02 2022
Date: Thu Sep 8 16:57:24 2022
Date: Tue Sep 6 20:47:18 2022
Date: Fri Aug 19 17:22:21 2022
Date: Mon Aug 8 21:33:59 2022
Date: Tue Jul 19 17:31:09 2022
Date: Fri Jun 17 18:37:56 2022
Date: Tue Apr 19 14:45:30 2022
so it looks like there's a stable branching strategy.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#100585):
https://lists.openembedded.org/g/openembedded-devel/message/100585
Mute This Topic: https://lists.openembedded.org/mt/96195679/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
