1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00
Commit Graph

251 Commits

Author SHA1 Message Date
Theo Gaige (Schneider Electric) e2d512c2e7 go: patch CVE-2026-27145
Backport patch from [1]

[1] https://go.dev/cl/783621

(From OE-Core rev: 209a1b3a48b8e3996e1b53f2d7efe335855b7375)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-07-02 13:42:25 +01:00
Sudhir Dumbhare 5087e4b4a0 go: set status for CVE-2026-39836
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836

(From OE-Core rev: 324359dcb7cbeb15ef51f5cc18924f590c81b1de)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare f3fbf45c1d go-binary-native: set status for CVE-2026-39836
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836

(From OE-Core rev: 8aab8b31425b3820ef65fc40061b9377c574607b)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare 7d782f3ed0 go: fix CVE-2026-32288
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded sparse map handling in `archive/tar`.

[1] https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e
[2] https://security-tracker.debian.org/tracker/CVE-2026-32288

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-32288

(From OE-Core rev: 775c3af36899eebe5612844accdfd2a8a2a9327a)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 3401fba731 go: fix CVE-2026-25679
This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.

Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.

[1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679

(From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare b1af4c89b0 go: fix CVE-2025-58183
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded memory consumption when reading GNU tar pax
1.0 sparse file regions in archive/tar.

[1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556
[2] https://security-tracker.debian.org/tracker/CVE-2025-58183

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-58183

(From OE-Core rev: e0285488a93cf3b369ad7424d55938791f57174f)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Hitendra Prajapati 1e7d50296e go 1.22.12: fix CVE-2026-27143, CVE-2026-27144
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc
[2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3
[3] https://security-tracker.debian.org/tracker/CVE-2026-27143
[4] https://security-tracker.debian.org/tracker/CVE-2026-27144

(From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati 2abc87a006 go 1.22.12: fix CVE-2026-27140
Pick patch from [1] also mentioned at Debian report in [2]

[1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa
[2] https://security-tracker.debian.org/tracker/CVE-2026-27140
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140

(From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Theo Gaige (Schneider Electric) 7842ddc5b2 go: patch CVE-2026-42507
Backport patch from [1]

[1] https://go.dev/cl/777060

(From OE-Core rev: dfcc700ab9e1785a7ac09fafa8732d513202c70b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) c0b84584be go: patch CVE-2026-42504
Backport patch from [1]

[1] https://go.dev/cl/774481

(From OE-Core rev: 1556a34831b2d96c8a7862493494f3b9fa10d4a9)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 33b725d19b go: patch CVE-2026-42501
Backport patch from [1]

[1] https://go.dev/cl/775321

(From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d896bb9ee4 go: patch CVE-2026-42499
Backport patch from [1]

[1] https://go.dev/cl/771520

(From OE-Core rev: 0a692a5f57c43fb478a4a0b771b528fb9cf0c14d)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 9a4407138b go: patch CVE-2026-39826
Backport patch from [1]

[1] https://go.dev/cl/771180

(From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 78bfa2dc96 go: patch CVE-2026-39825
Backport patch from [1]

[1] https://go.dev/cl/770541

(From OE-Core rev: ae5b6a1b2bf80e73f18406153d314ff18a89a13f)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 992c2a0192 go: patch CVE-2026-39820
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/759940

[2] https://security-tracker.debian.org/tracker/CVE-2026-39820

(From OE-Core rev: f694d6cdd10c38a482d8c2a90f84c96da817ea51)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) f195e84050 go: patch CVE-2026-39819
Backport patch from [1]

[1] https://go.dev/cl/763882

(From OE-Core rev: 791de4922a5b342e3227713b053709a00400e1b5)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 6394046b02 go: patch CVE-2026-39817
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/767520

[2] https://security-tracker.debian.org/tracker/CVE-2026-39817

(From OE-Core rev: f88c0ff79cf5838f8d0c31ecacc35faf56059d03)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d5108e0975 go: patch CVE-2026-33811
Backport patch from [1]

[1] https://go.dev/cl/767860

(From OE-Core rev: e4137b29d7b3218ceef9973d57c179e5e2771a68)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) b7967ae307 go: patch CVE-2026-32289
Backport patch from [1]

[1] https://go.dev/cl/763762

(From OE-Core rev: d0469c3a9d62a2ab3d6baef92e578f247d68318b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d10a96fbd0 go: patch CVE-2026-32283
Backport patch from [1]

[1] https://go.dev/cl/763767

(From OE-Core rev: bfba1601c099d7b68c4d9fcf07617d8310d4af66)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 4c319bd87f go: patch CVE-2026-32280
Backport patch from [1]

[1] https://go.dev/cl/758320

(From OE-Core rev: e52259f1d09c722390b49adf3d4e3d863fbde7e8)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d942ca707b go: patch CVE-2026-27142
Backport patch from [1]

[1] https://go.dev/cl/752081

(From OE-Core rev: c6730245b14c094e3b210af785cda7caf4468163)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Eduardo Ferreira 195c9264bb go: Fix CVE-2025-61726.patch variable ordering
Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11)
introduced a patch backporting a fix for CVE-2025-61726, but
this patch also introduced a bug.

From Go's source code[1], they say that the 'All' table from 'godebugs'
should be populated alphabetically by Name. And 'Lookup'[2] function uses
binary search to try and find the variable.

Here's the trace:
Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine.
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb
ugs.All: urlmaxqueryparams
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]:
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/http/server.go:1903 +0xb0
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40
006441c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         internal/godebug/godebug.go:141 +0xd8
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         sync/once.go:74 +0x100
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         sync/once.go:65
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         internal/godebug/godebug.go:138 +0x50
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/url/url.go:968 +0x3c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/url/url.go:985 +0xdc
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/url/url.go:958
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/http/request.go:1317 +0x33c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20

The 'Lookup' function was failing due to the wrong ordering and returning 'nil',
which was not being checked properly and caused this issue.

The fix was to just reorder the line where 'urlmaxqueryparams' is being
added to respect the alphabetical ordering. And for that the whole CVE
patch was generated again.

This change was validated with docker-moby (original issue), where a container
run successfully and no traces in the logs.

[1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20
[2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100

(From OE-Core rev: b670b11ff4845b64f861041681ace9c21db16eed)

Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-03-25 17:34:13 +00:00
Deepak Rathore e44ffb5b15 go 1.22.12: Fix CVE-2025-68121
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-68121
Type: Security Fix
CVE: CVE-2025-68121
Score: 4.8
Patch:
- https://github.com/golang/go/commit/5f07b226f9aa
- https://github.com/golang/go/commit/cb75daf3b291
- https://github.com/golang/go/commit/6a501314718b

(From OE-Core rev: a5ded8dd51a520cf190ea094f65301477b057d8f)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Deepak Rathore 5f5a2976b2 go 1.22.12: Fix CVE-2025-61732
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61732
Type: Security Fix
CVE: CVE-2025-61732
Score: 8.6
Patch:  https://github.com/golang/go/commit/14d0bb39c1c4

(From OE-Core rev: 560778463bd0d4e52ac40851783e39733edcf9d1)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Deepak Rathore c13443407a go 1.22.12: Fix CVE-2025-68119
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-68119
Type: Security Fix
CVE: CVE-2025-68119
Score: 7.0
Patch:
[1] https://github.com/golang/go/commit/62452bed4801
[2] https://github.com/golang/go/commit/73fe85f0ea1b

Note:
- First commit [1] is a dependent patch which is required additionally
  in original fix [2] to define ENV variable changes in
  src/cmd/go/internal/vcs/vcs.go file.

(From OE-Core rev: ef995146623cf65c2e30f37b09847883ca7481bb)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Deepak Rathore a231c49abc go 1.22.12: Fix CVE-2025-61731
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61731
Type: Security Fix
CVE: CVE-2025-61731
Score: 7.8
Patch: https://github.com/golang/go/commit/00b7309387a1

(From OE-Core rev: a7d8ad20525ee6c74a0e149dfd54c7e5c9e1f740)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Deepak Rathore e333b43a69 go 1.22.12: Fix CVE-2025-61728
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61728
Type: Security Fix
CVE: CVE-2025-61728
Score: 6.5
Patch: https://github.com/golang/go/commit/3235ef3db85c

(From OE-Core rev: 31eb409b8a0537d97e09e6a13b8182db4135f3c9)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Deepak Rathore 242963f4cd go 1.22.12: Fix CVE-2025-61726
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61726
Type: Security Fix
CVE: CVE-2025-61726
Score: 7.5
Patch: https://github.com/golang/go/commit/85c794ddce26

(From OE-Core rev: 6a1ae4e79252f9a896faa702e4a8b3e27529a474)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Deepak Rathore dde29170e3 go 1.22.12: Fix CVE-2025-61730
Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61730
Type: Security Fix
CVE: CVE-2025-61730
Score: 4.2
Patch: https://github.com/golang/go/commit/ad2cd043db66

(From OE-Core rev: 71f645d9ebf77d30744780e777955a6c7e28258b)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-27 17:45:06 +00:00
Vijay Anusuri 795103a538 go: Fix CVE-2025-61729
Upstream-Status: Backport from https://github.com/golang/go/commit/3a842bd5c6aa8eefa13c0174de3ab361e50bd672

(From OE-Core rev: 2d6d68e46a430a1dbba7bd8b7d37ff56f4f5a0e6)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-02 06:56:54 -08:00
Vijay Anusuri d3c87dc830 go: Fix CVE-2025-61727
Upstream-Status: Backport from https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344

(From OE-Core rev: 647e151485bd10a8bbbdbae4825791723c9a5d8e)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-02 06:56:54 -08:00
Vijay Anusuri a5cecb013b go: Update CVE-2025-58187
Upstream-Status: Backport from https://github.com/golang/go/commit/ca6a5545ba18844a97c88a90a385eb6335bb7526

(From OE-Core rev: 2d6b089de3ef5e062d852eb93e3ff16997e796ef)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-02 06:56:54 -08:00
Archana Polampalli c973f0e006 go: fix CVE-2025-61724
The Reader.ReadResponse function constructs a response string through
repeated string concatenation of lines. When the number of lines in a
response is large, this can cause excessive CPU consumption.

(From OE-Core rev: 512c36af3b9d344606b2ebf54bc2f99b88dfea63)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli 79aeef5d35 go: fix CVE-2025-61723
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.

(From OE-Core rev: 228e4aa70743b92eaf1abd5526827b34b33f3419)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli 18bfeb632b go: fix CVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included
in square brackets within the host component of a URL. RFC 3986 permits
IPv6 addresses to be included within the host component, enclosed within
square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames
must not appear within square brackets. Parse did not enforce this requirement.

(From OE-Core rev: c5fc59eb87d0f92ba8596b7848d16d59773582a0)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli b3b8ae2317 go: fix CVE-2025-58189
When Conn.Handshake fails during ALPN negotiation the error contains attacker
controlled information (the ALPN protocols sent by the client) which is not escaped.

(From OE-Core rev: e734cf62f24640d116c901dd97e09ddbb1f0cc4f)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli 8c87818a10 go: fix CVE-2025-58188
Validating certificate chains which contain DSA public keys can cause
programs to panic, due to a interface cast that assumes they implement
the Equal method. This affects programs which validate arbitrary certificate chains.

(From OE-Core rev: b532fa208d0b102326642a2fba8b17661a14307e)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli a6d452646e go: fix CVE-2025-58187
Due to the design of the name constraint checking algorithm, the processing
time of some inputs scals non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.

(From OE-Core rev: ce1626d1f1e232bc6da81e89088d0c0f5f3c52b4)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli 0c4e028627 go: fix CVE-2025-58185
Parsing a maliciously crafted DER payload could allocate large amounts of memory,
causing memory exhaustion.

(From OE-Core rev: f27acc863ee34b56e2c49dc96ad2b58fb35e2d46)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-14 06:45:29 -08:00
Archana Polampalli e085cf0d53 go: fix CVE-2025-47906
If the PATH environment variable contains paths which are executables
(rather than just directories), passing certain strings to LookPath
("", ".", and ".."), can result in the binaries listed in the PATH
 being unexpectedly returned.

(From OE-Core rev: ed6df1883225ec08e637a0d7a15a6a5da4665d8d)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-10-13 12:42:58 -07:00
Peter Marko 3f6144ca20 go-binary-native: ignore CVE-2025-0913
This was already done for all other go recipes.

(From OE-Core rev: 63dfdbf774dc24ea4e736a6d13d6aa8c72ebee4d)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-09-01 08:30:56 -07:00
Praveen Kumar 766dfe5115 go: fix CVE-2025-47907
Cancelling a query (e.g. by cancelling the context passed to one of
the query methods) during a call to the Scan method of the returned
Rows can result in unexpected results if other queries are being made
in parallel. This can result in a race condition that may overwrite
the expected results with those of another query, causing the call to
Scan to return either unexpected results from the other query or an
error.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47907

Upstream-patch:
https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9

(From OE-Core rev: 22d8ac9884208b8f9b2a69ec6a257c62e1f2f8d2)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-09-01 08:30:56 -07:00
Archana Polampalli b4135ab254 go: fix CVE-2025-4674
The go command may execute unexpected commands when operating in untrusted VCS repositories.
This occurs when possibly dangerous VCS configuration is present in repositories.
This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata
for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line,
i.e. via "go get", are not affected.

(From OE-Core rev: efdc4920571677c9051d4402eaa801672eeb24e3)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-09-01 08:30:56 -07:00
Peter Marko 2cc9a0249b go: ignore CVE-2025-0913
This is problem on Windows platform only.

Per NVD report [1], CPE has "and" clause
Running on/with
 cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Also linked patch [2] changes Windows files only (and tests).

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-0913
[2] https://go-review.googlesource.com/c/go/+/672396

(From OE-Core rev: ec1c6ab989b298773e8df8a6a4532f88b93617ff)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-08-20 07:37:19 -07:00
Praveen Kumar b4562b5fca go: fix CVE-2025-4673
Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-4673

Upstream-patch:
https://github.com/golang/go/commit/b897e97c36cb62629a458bc681723ca733404e32

(From OE-Core rev: 72279bbc1ff2d85563c5245195435f078c5d1a68)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-07-07 07:42:58 -07:00
Peter Marko e8a99c83b3 go: set status of CVE-2024-3566
NVD ([1]) tracks this as:
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Running on/with
  cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Yocto cve-check ignores the "Running on/with", so it needs to be ignored
explicitly.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3566

(From OE-Core rev: b8841097eaf7545abf56eb52a122e113b54ba2a7)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-06-25 08:35:09 -07:00
Hitendra Prajapati 5cf979eb70 go: fix CVE-2025-22871
Upstream-Status: Backport from https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931

(From OE-Core rev: b343da566856ad17b5dc03d42d9241bcb44cad1b)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-04-16 06:41:24 -07:00
Archana Polampalli 60feedab22 go: fix CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable
is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly
match and not be proxied.

(From OE-Core rev: 88e79f915137edc5a37a110abdc79f5800404e45)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-04-16 06:41:24 -07:00
Peter Marko ccb6625fee go: upgrade 1.22.11 -> 1.22.12
Upgrade to latest 1.22.x release [1]:

$ git --no-pager log --oneline go1.22.11..go1.22.12
5817e65094 (tag: go1.22.12) [release-branch.go1.22] go1.22.12
0cc45e7ca6 [release-branch.go1.22] crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le
c3c6a50095 [release-branch.go1.22] cmd/go/internal/modfetch: do not trust server to send all tags in shallow fetch
e0a01acd04 [release-branch.go1.22] cmd/compile: fix write barrier coalescing

Fixes CVE-2025-22866

[1] https://github.com/golang/go/compare/go1.22.11...go1.22.12

(From OE-Core rev: 423ad5a67768738dac454b1e2aa27746f74511c5)

(From OE-Core rev: 9862cb44ad0f85eebbd9c7f6bcbf22df9cc10d0f)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-02-14 06:38:54 -08:00