Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap 2026-03-25T17:34:13+00:00 2026-03-25T17:34:13+00:00 Eduardo Ferreira eduardo.barbosa@toradex.com 2026-03-09T16:53:50+00:00 urn:sha1:195c9264bb066d3d5f343789f357b20ee5fed1b5 Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11) introduced a patch backporting a fix for CVE-2025-61726, but this patch also introduced a bug. From Go's source code[1], they say that the 'All' table from 'godebugs' should be populated alphabetically by Name. And 'Lookup'[2] function uses binary search to try and find the variable. Here's the trace: Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine. Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb ugs.All: urlmaxqueryparams Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]: Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40 006441c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20 The 'Lookup' function was failing due to the wrong ordering and returning 'nil', which was not being checked properly and caused this issue. The fix was to just reorder the line where 'urlmaxqueryparams' is being added to respect the alphabetical ordering. And for that the whole CVE patch was generated again. This change was validated with docker-moby (original issue), where a container run successfully and no traces in the logs. [1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20 [2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100 (From OE-Core rev: b670b11ff4845b64f861041681ace9c21db16eed) Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-19T07:44:49+00:00 urn:sha1:e44ffb5b150004b0b38a28583f7f826c606a76e8 Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-68121 Type: Security Fix CVE: CVE-2025-68121 Score: 4.8 Patch: - https://github.com/golang/go/commit/5f07b226f9aa - https://github.com/golang/go/commit/cb75daf3b291 - https://github.com/golang/go/commit/6a501314718b (From OE-Core rev: a5ded8dd51a520cf190ea094f65301477b057d8f) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-19T07:44:07+00:00 urn:sha1:5f5a2976b2d8b0fb75eb4b84c5fd99e76d14d45f Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61732 Type: Security Fix CVE: CVE-2025-61732 Score: 8.6 Patch: https://github.com/golang/go/commit/14d0bb39c1c4 (From OE-Core rev: 560778463bd0d4e52ac40851783e39733edcf9d1) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-12T05:01:50+00:00 urn:sha1:c13443407a5d7d6fe566677aecae19a749c291c3 Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-68119 Type: Security Fix CVE: CVE-2025-68119 Score: 7.0 Patch: [1] https://github.com/golang/go/commit/62452bed4801 [2] https://github.com/golang/go/commit/73fe85f0ea1b Note: - First commit [1] is a dependent patch which is required additionally in original fix [2] to define ENV variable changes in src/cmd/go/internal/vcs/vcs.go file. (From OE-Core rev: ef995146623cf65c2e30f37b09847883ca7481bb) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-12T05:01:25+00:00 urn:sha1:a231c49abc399af64185f7bc8ca1cded0191dd8b Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61731 Type: Security Fix CVE: CVE-2025-61731 Score: 7.8 Patch: https://github.com/golang/go/commit/00b7309387a1 (From OE-Core rev: a7d8ad20525ee6c74a0e149dfd54c7e5c9e1f740) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-12T04:59:43+00:00 urn:sha1:e333b43a692acd58d42c5bdb8ac54b41c07e8a0d Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61728 Type: Security Fix CVE: CVE-2025-61728 Score: 6.5 Patch: https://github.com/golang/go/commit/3235ef3db85c (From OE-Core rev: 31eb409b8a0537d97e09e6a13b8182db4135f3c9) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-12T04:59:00+00:00 urn:sha1:242963f4cd1597d31a3efae2422016bf888c6e25 Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61726 Type: Security Fix CVE: CVE-2025-61726 Score: 7.5 Patch: https://github.com/golang/go/commit/85c794ddce26 (From OE-Core rev: 6a1ae4e79252f9a896faa702e4a8b3e27529a474) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27T17:45:06+00:00 Deepak Rathore deeratho@cisco.com 2026-02-12T04:58:01+00:00 urn:sha1:dde29170e37afe550fecc5da53eebeaa05e3f790 Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61730 Type: Security Fix CVE: CVE-2025-61730 Score: 4.2 Patch: https://github.com/golang/go/commit/ad2cd043db66 (From OE-Core rev: 71f645d9ebf77d30744780e777955a6c7e28258b) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-02T14:56:54+00:00 Vijay Anusuri vanusuri@mvista.com 2025-12-29T15:44:01+00:00 urn:sha1:795103a538c5086f5f0dfcfd9c20e57f1e513811 Upstream-Status: Backport from https://github.com/golang/go/commit/3a842bd5c6aa8eefa13c0174de3ab361e50bd672 (From OE-Core rev: 2d6d68e46a430a1dbba7bd8b7d37ff56f4f5a0e6) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2026-01-02T14:56:54+00:00 Vijay Anusuri vanusuri@mvista.com 2025-12-29T15:44:00+00:00 urn:sha1:d3c87dc830a9ca59ca0fb8b646c2983d484bfcd1 Upstream-Status: Backport from https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344 (From OE-Core rev: 647e151485bd10a8bbbdbae4825791723c9a5d8e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>