<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/go, branch kirkstone</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=kirkstone</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=kirkstone'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2026-01-02T15:21:42+00:00</updated>
<entry>
<title>go: Fix CVE-2025-61729</title>
<updated>2026-01-02T15:21:42+00:00</updated>
<author>
<name>Vijay Anusuri</name>
<email>vanusuri@mvista.com</email>
</author>
<published>2025-12-29T12:47:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c942cdb0572ab065a13424aa7482404269ff9554'/>
<id>urn:sha1:c942cdb0572ab065a13424aa7482404269ff9554</id>
<content type='text'>
Upstream-Status: Backport from https://github.com/golang/go/commit/3a842bd5c6aa8eefa13c0174de3ab361e50bd672

(From OE-Core rev: 0057fc49725db8637656fac10631d8f89799bad3)

Signed-off-by: Vijay Anusuri &lt;vanusuri@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: Fix CVE-2025-61727</title>
<updated>2026-01-02T15:21:42+00:00</updated>
<author>
<name>Vijay Anusuri</name>
<email>vanusuri@mvista.com</email>
</author>
<published>2025-12-29T12:47:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=690dcd26216a6a2e8994592fb7ad56395c5ddf36'/>
<id>urn:sha1:690dcd26216a6a2e8994592fb7ad56395c5ddf36</id>
<content type='text'>
Upstream-Status: Backport from https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344

(From OE-Core rev: dc1d95e3edfeaa5458fc564910ae5c9445a6f942)

Signed-off-by: Vijay Anusuri &lt;vanusuri@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: Update CVE-2025-58187</title>
<updated>2026-01-02T15:21:42+00:00</updated>
<author>
<name>Vijay Anusuri</name>
<email>vanusuri@mvista.com</email>
</author>
<published>2025-12-29T12:47:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=084488d13fe957c146c3cb75c286419409a6f451'/>
<id>urn:sha1:084488d13fe957c146c3cb75c286419409a6f451</id>
<content type='text'>
Upstream-Status: Backport from https://github.com/golang/go/commit/ca6a5545ba18844a97c88a90a385eb6335bb7526

(From OE-Core rev: 43b3d2b2ef77c97b323b86bd6ee54996c38e46ed)

Signed-off-by: Vijay Anusuri &lt;vanusuri@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: Fix CVE-2023-39323</title>
<updated>2025-12-31T15:24:54+00:00</updated>
<author>
<name>Libo Chen</name>
<email>libo.chen.cn@windriver.com</email>
</author>
<published>2025-12-18T07:18:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9af12b047ec2e3b2d04c760be18e2f5cbfb5d5d3'/>
<id>urn:sha1:9af12b047ec2e3b2d04c760be18e2f5cbfb5d5d3</id>
<content type='text'>
Line directives ("//line") can be used to bypass the restrictions on
"//go:cgo_" directives, allowing blocked linker and compiler flags to
be passed during compilation. This can result in unexpected execution
of arbitrary code when running "go build". The line directive requires
the absolute path of the file in which the directive lives, which makes
exploiting this issue significantly more complex.

Made below changes for Go 1.17 backport:
- drop the modifications of test codes

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39323

Upstream-patch:
https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555

(From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101)

Signed-off-by: Libo Chen &lt;libo.chen.cn@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-61724</title>
<updated>2025-12-05T14:56:34+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-28T16:07:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ba9338d8105282239f00ea0939502ffa507d5e35'/>
<id>urn:sha1:ba9338d8105282239f00ea0939502ffa507d5e35</id>
<content type='text'>
The Reader.ReadResponse function constructs a response string through repeated
string concatenation of lines. When the number of lines in a response is large,
this can cause excessive CPU consumption.

(From OE-Core rev: 188dbac037809d6e8f0e1667f563fea997ea04b8)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-61723</title>
<updated>2025-12-05T14:56:34+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-28T16:07:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=46c836aefa1968e2ea8bdbdcc1bff6d329ddcc24'/>
<id>urn:sha1:46c836aefa1968e2ea8bdbdcc1bff6d329ddcc24</id>
<content type='text'>
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.

(From OE-Core rev: cfafebef95330e531ab7bb590e5fb566dd5a3dce)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-58189</title>
<updated>2025-12-05T14:56:34+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-28T16:07:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=5f8155aefa0930c0495f24cfc2dbecc8b6ff4e0d'/>
<id>urn:sha1:5f8155aefa0930c0495f24cfc2dbecc8b6ff4e0d</id>
<content type='text'>
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled
information (the ALPN protocols sent by the client) which is not escaped.

(From OE-Core rev: b3f055df67cf345c9a17c5c1c874c778d538ba9e)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-58187</title>
<updated>2025-12-05T14:56:34+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-28T16:07:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=dd0a2c24702152c76547b1db2690ff5af3d23f06'/>
<id>urn:sha1:dd0a2c24702152c76547b1db2690ff5af3d23f06</id>
<content type='text'>
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scale non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.

(From OE-Core rev: cea9fcf1b21b1b35b88986b676d712ab8ffa9d67)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2024-24783</title>
<updated>2025-11-06T15:14:05+00:00</updated>
<author>
<name>Hitendra Prajapati</name>
<email>hprajapati@mvista.com</email>
</author>
<published>2025-11-03T06:13:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8641f0fec992d079cd0c1d7ba0032e5568d194cf'/>
<id>urn:sha1:8641f0fec992d079cd0c1d7ba0032e5568d194cf</id>
<content type='text'>
Upstream-Status: Backport https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0

(From OE-Core rev: b7d89fae22b317199b8f72978712075078a17005)

Signed-off-by: Hitendra Prajapati &lt;hprajapati@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-47906</title>
<updated>2025-10-14T14:20:36+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-10-09T08:57:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f63f49bdead2591f2fbbf9a732fbfdef5272bdfa'/>
<id>urn:sha1:f63f49bdead2591f2fbbf9a732fbfdef5272bdfa</id>
<content type='text'>
If the PATH environment variable contains paths which are executables
(rather than just directories), passing certain strings to LookPath
("", ".", and ".."), can result in the binaries listed in the PATH
being unexpectedly returned.

(From OE-Core rev: c4d81e32ee3fb7d05db2cfbfaaa8081841bc16ce)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
