1 files changed, 106 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 3dfd671d11..9c7ceda891 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -16,6 +16,112 @@ SRC_URI += "\
    file://0006-cmd-dist-separate-host-and-target-builds.patch \
    file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
    file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
+    file://CVE-2021-34558.patch \
+    file://CVE-2021-33196.patch \
+    file://CVE-2021-33197.patch \
+    file://CVE-2021-38297.patch \
+    file://CVE-2022-23806.patch \
+    file://CVE-2022-23772.patch \
+    file://CVE-2021-44717.patch \
+    file://CVE-2022-24675.patch \
+    file://CVE-2021-31525.patch \
+    file://CVE-2022-30629.patch \
+    file://CVE-2022-30631.patch \
+    file://CVE-2022-30632.patch \
+    file://CVE-2022-30633.patch \
+    file://CVE-2022-30635.patch \
+    file://CVE-2022-32148.patch \
+    file://CVE-2022-32189.patch \
+    file://CVE-2021-27918.patch \
+    file://CVE-2021-36221.patch \
+    file://CVE-2021-39293.patch \
+    file://CVE-2021-41771.patch \
+    file://CVE-2022-27664.patch \
+    file://0001-CVE-2022-32190.patch \
+    file://0002-CVE-2022-32190.patch \
+    file://0003-CVE-2022-32190.patch \
+    file://0004-CVE-2022-32190.patch \
+    file://CVE-2022-2880.patch \
+    file://CVE-2022-2879.patch \
+    file://CVE-2021-33195.patch \
+    file://CVE-2021-33198.patch \
+    file://CVE-2021-44716.patch \
+    file://CVE-2022-24921.patch \
+    file://CVE-2022-28131.patch \
+    file://CVE-2022-28327.patch \
+    file://CVE-2022-41715.patch \
+    file://CVE-2022-41717.patch \
+    file://CVE-2022-1962.patch \
+    file://CVE-2022-41723.patch \
+    file://CVE-2022-41722-1.patch \
+    file://CVE-2022-41722-2.patch \
+    file://CVE-2020-29510.patch \
+    file://CVE-2023-24537.patch \
+    file://CVE-2023-24534.patch \
+    file://CVE-2023-24538-1.patch \
+    file://CVE-2023-24538-2.patch \
+    file://CVE-2023-24538_3.patch \
+    file://CVE-2023-24538_4.patch \
+    file://CVE-2023-24538_5.patch \
+    file://CVE-2023-24538_6.patch \
+    file://CVE-2023-24539.patch \
+    file://CVE-2023-24540.patch \
+    file://CVE-2023-29405-1.patch \
+    file://CVE-2023-29405-2.patch \
+    file://CVE-2023-29402.patch \
+    file://CVE-2023-29404.patch \
+    file://CVE-2023-29400.patch \
+    file://CVE-2023-29406-1.patch \
+    file://CVE-2023-29406-2.patch \
+    file://CVE-2023-29409.patch \
+    file://CVE-2022-41725-pre1.patch \
+    file://CVE-2022-41725-pre2.patch \
+    file://CVE-2022-41725-pre3.patch \
+    file://CVE-2022-41725.patch \
+    file://CVE-2023-24536_1.patch \
+    file://CVE-2023-24536_2.patch \
+    file://CVE-2023-24536_3.patch \
+    file://CVE-2023-39318.patch \
+    file://CVE-2023-39319.patch \
+    file://CVE-2023-39326.patch \
+    file://CVE-2023-45287-pre1.patch \
+    file://CVE-2023-45287-pre2.patch \
+    file://CVE-2023-45287-pre3.patch \
+    file://CVE-2023-45287.patch \
+    file://CVE-2023-45289.patch \
+    file://CVE-2023-45290.patch \
+    file://CVE-2024-24785.patch \
+    file://CVE-2024-24784.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
+# Upstream don't believe it is a signifiant real world issue and will only
+# fix in 1.17 onwards where we can drop this.
+# https://github.com/golang/go/issues/30999#issuecomment-910470358
+CVE_CHECK_WHITELIST += "CVE-2021-29923"
+# this issue affected go1.15 onwards
+# https://security-tracker.debian.org/tracker/CVE-2022-29526
+CVE_CHECK_WHITELIST += "CVE-2022-29526"
+# Issue only on windows
+CVE_CHECK_WHITELIST += "CVE-2022-29804"
+CVE_CHECK_WHITELIST += "CVE-2022-30580"
+CVE_CHECK_WHITELIST += "CVE-2022-30634"
+# Issue is in golang.org/x/net/html/parse.go, not used in go compiler
+CVE_CHECK_WHITELIST += "CVE-2021-33194"
+# Issue introduced in go1.16, does not exist in 1.14
+CVE_CHECK_WHITELIST += "CVE-2021-41772"
+# Fixes code that was added in go1.16, does not exist in 1.14
+CVE_CHECK_WHITELIST += "CVE-2022-30630"
+# This is specific to Microsoft Windows
+CVE_CHECK_WHITELIST += "CVE-2022-41716"
+# Issue introduced in go1.15beta1, does not exist in 1.14
+CVE_CHECK_WHITELIST += "CVE-2022-1705"

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 3dfd671d11..9c7ceda891 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -16,6 +16,112 @@ SRC_URI += "\
16	file://0006-cmd-dist-separate-host-and-target-builds.patch \	16	file://0006-cmd-dist-separate-host-and-target-builds.patch \
17	file://0007-cmd-go-make-GOROOT-precious-by-default.patch \	17	file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
18	file://0008-use-GOBUILDMODE-to-set-buildmode.patch \	18	file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
		19	file://CVE-2021-34558.patch \
		20	file://CVE-2021-33196.patch \
		21	file://CVE-2021-33197.patch \
		22	file://CVE-2021-38297.patch \
		23	file://CVE-2022-23806.patch \
		24	file://CVE-2022-23772.patch \
		25	file://CVE-2021-44717.patch \
		26	file://CVE-2022-24675.patch \
		27	file://CVE-2021-31525.patch \
		28	file://CVE-2022-30629.patch \
		29	file://CVE-2022-30631.patch \
		30	file://CVE-2022-30632.patch \
		31	file://CVE-2022-30633.patch \
		32	file://CVE-2022-30635.patch \
		33	file://CVE-2022-32148.patch \
		34	file://CVE-2022-32189.patch \
		35	file://CVE-2021-27918.patch \
		36	file://CVE-2021-36221.patch \
		37	file://CVE-2021-39293.patch \
		38	file://CVE-2021-41771.patch \
		39	file://CVE-2022-27664.patch \
		40	file://0001-CVE-2022-32190.patch \
		41	file://0002-CVE-2022-32190.patch \
		42	file://0003-CVE-2022-32190.patch \
		43	file://0004-CVE-2022-32190.patch \
		44	file://CVE-2022-2880.patch \
		45	file://CVE-2022-2879.patch \
		46	file://CVE-2021-33195.patch \
		47	file://CVE-2021-33198.patch \
		48	file://CVE-2021-44716.patch \
		49	file://CVE-2022-24921.patch \
		50	file://CVE-2022-28131.patch \
		51	file://CVE-2022-28327.patch \
		52	file://CVE-2022-41715.patch \
		53	file://CVE-2022-41717.patch \
		54	file://CVE-2022-1962.patch \
		55	file://CVE-2022-41723.patch \
		56	file://CVE-2022-41722-1.patch \
		57	file://CVE-2022-41722-2.patch \
		58	file://CVE-2020-29510.patch \
		59	file://CVE-2023-24537.patch \
		60	file://CVE-2023-24534.patch \
		61	file://CVE-2023-24538-1.patch \
		62	file://CVE-2023-24538-2.patch \
		63	file://CVE-2023-24538_3.patch \
		64	file://CVE-2023-24538_4.patch \
		65	file://CVE-2023-24538_5.patch \
		66	file://CVE-2023-24538_6.patch \
		67	file://CVE-2023-24539.patch \
		68	file://CVE-2023-24540.patch \
		69	file://CVE-2023-29405-1.patch \
		70	file://CVE-2023-29405-2.patch \
		71	file://CVE-2023-29402.patch \
		72	file://CVE-2023-29404.patch \
		73	file://CVE-2023-29400.patch \
		74	file://CVE-2023-29406-1.patch \
		75	file://CVE-2023-29406-2.patch \
		76	file://CVE-2023-29409.patch \
		77	file://CVE-2022-41725-pre1.patch \
		78	file://CVE-2022-41725-pre2.patch \
		79	file://CVE-2022-41725-pre3.patch \
		80	file://CVE-2022-41725.patch \
		81	file://CVE-2023-24536_1.patch \
		82	file://CVE-2023-24536_2.patch \
		83	file://CVE-2023-24536_3.patch \
		84	file://CVE-2023-39318.patch \
		85	file://CVE-2023-39319.patch \
		86	file://CVE-2023-39326.patch \
		87	file://CVE-2023-45287-pre1.patch \
		88	file://CVE-2023-45287-pre2.patch \
		89	file://CVE-2023-45287-pre3.patch \
		90	file://CVE-2023-45287.patch \
		91	file://CVE-2023-45289.patch \
		92	file://CVE-2023-45290.patch \
		93	file://CVE-2024-24785.patch \
		94	file://CVE-2024-24784.patch \
19	"	95	"
		96
20	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	97	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
21	SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"	98	SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
		99
		100	# Upstream don't believe it is a signifiant real world issue and will only
		101	# fix in 1.17 onwards where we can drop this.
		102	# https://github.com/golang/go/issues/30999#issuecomment-910470358
		103	CVE_CHECK_WHITELIST += "CVE-2021-29923"
		104
		105	# this issue affected go1.15 onwards
		106	# https://security-tracker.debian.org/tracker/CVE-2022-29526
		107	CVE_CHECK_WHITELIST += "CVE-2022-29526"
		108
		109	# Issue only on windows
		110	CVE_CHECK_WHITELIST += "CVE-2022-29804"
		111	CVE_CHECK_WHITELIST += "CVE-2022-30580"
		112	CVE_CHECK_WHITELIST += "CVE-2022-30634"
		113
		114	# Issue is in golang.org/x/net/html/parse.go, not used in go compiler
		115	CVE_CHECK_WHITELIST += "CVE-2021-33194"
		116
		117	# Issue introduced in go1.16, does not exist in 1.14
		118	CVE_CHECK_WHITELIST += "CVE-2021-41772"
		119
		120	# Fixes code that was added in go1.16, does not exist in 1.14
		121	CVE_CHECK_WHITELIST += "CVE-2022-30630"
		122
		123	# This is specific to Microsoft Windows
		124	CVE_CHECK_WHITELIST += "CVE-2022-41716"
		125
		126	# Issue introduced in go1.15beta1, does not exist in 1.14
		127	CVE_CHECK_WHITELIST += "CVE-2022-1705"