<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools, branch yocto-5.0.14</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-11-14T14:45:29+00:00</updated>
<entry>
<title>go: fix CVE-2025-61724</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:21:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c973f0e00687c5803f89230bd8f2815ec777f321'/>
<id>urn:sha1:c973f0e00687c5803f89230bd8f2815ec777f321</id>
<content type='text'>
The Reader.ReadResponse function constructs a response string through
repeated string concatenation of lines. When the number of lines in a
response is large, this can cause excessive CPU consumption.

(From OE-Core rev: 512c36af3b9d344606b2ebf54bc2f99b88dfea63)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-61723</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=79aeef5d3545ad4ab3c424dfdba07d36ce2a5dc7'/>
<id>urn:sha1:79aeef5d3545ad4ab3c424dfdba07d36ce2a5dc7</id>
<content type='text'>
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.

(From OE-Core rev: 228e4aa70743b92eaf1abd5526827b34b33f3419)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-47912</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:21:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=18bfeb632b23da6aff71f4dd7e37b29b8562c7a3'/>
<id>urn:sha1:18bfeb632b23da6aff71f4dd7e37b29b8562c7a3</id>
<content type='text'>
The Parse function permits values other than IPv6 addresses to be included
in square brackets within the host component of a URL. RFC 3986 permits
IPv6 addresses to be included within the host component, enclosed within
square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames
must not appear within square brackets. Parse did not enforce this requirement.

(From OE-Core rev: c5fc59eb87d0f92ba8596b7848d16d59773582a0)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-58189</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:21:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b3b8ae23172be1e4f2deee24116612dda73f585c'/>
<id>urn:sha1:b3b8ae23172be1e4f2deee24116612dda73f585c</id>
<content type='text'>
When Conn.Handshake fails during ALPN negotiation the error contains attacker
controlled information (the ALPN protocols sent by the client) which is not escaped.

(From OE-Core rev: e734cf62f24640d116c901dd97e09ddbb1f0cc4f)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-58188</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:20:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8c87818a10f709ca29b17e52f64bbb533294f698'/>
<id>urn:sha1:8c87818a10f709ca29b17e52f64bbb533294f698</id>
<content type='text'>
Validating certificate chains which contain DSA public keys can cause
programs to panic, due to a interface cast that assumes they implement
the Equal method. This affects programs which validate arbitrary certificate chains.

(From OE-Core rev: b532fa208d0b102326642a2fba8b17661a14307e)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-58187</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:20:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a6d452646eb9cabbc5e3ef86caf2d80e571fd690'/>
<id>urn:sha1:a6d452646eb9cabbc5e3ef86caf2d80e571fd690</id>
<content type='text'>
Due to the design of the name constraint checking algorithm, the processing
time of some inputs scals non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.

(From OE-Core rev: ce1626d1f1e232bc6da81e89088d0c0f5f3c52b4)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>go: fix CVE-2025-58185</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-11-07T10:20:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=0c4e0286278d0a818fc8026513b4698f48827f9c'/>
<id>urn:sha1:0c4e0286278d0a818fc8026513b4698f48827f9c</id>
<content type='text'>
Parsing a maliciously crafted DER payload could allocate large amounts of memory,
causing memory exhaustion.

(From OE-Core rev: f27acc863ee34b56e2c49dc96ad2b58fb35e2d46)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11413</title>
<updated>2025-11-07T14:54:41+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-11-02T11:58:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9e31b2eb185a55c5211605453d3b47492943ad91'/>
<id>urn:sha1:9e31b2eb185a55c5211605453d3b47492943ad91</id>
<content type='text'>
Pick commit per NVD CVE report.

Note that there were two patches for this, first [1] and then [2].
The second patch moved the original patch to different location.
Cherry-pick of second patch is successful leaving out the code removing
the code from first location, so the patch attached here is not
identical to the upstream commit but is identical to applying both and
merging them to a single patch.

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331
[2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0

(From OE-Core rev: 98df728e6136d04af0f4922b7ffbeffb704de395)

(From OE-Core rev: b220cccdab44bc707d2c934a3ea81d20b67d14b0)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11412</title>
<updated>2025-11-07T14:54:41+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-11-02T11:58:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ca2c8b88be669cb70538771add78ae4c64d920ec'/>
<id>urn:sha1:ca2c8b88be669cb70538771add78ae4c64d920ec</id>
<content type='text'>
Pick commit per NVD CVE report.

(From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7)

(From OE-Core rev: fdbcbb0fe92a862a993108609eb4107e34eeeed2)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>binutils: patch CVE-2025-11414</title>
<updated>2025-11-07T14:54:41+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-11-02T11:58:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ef4b31498d01e003117767fe2c1308f37c43080a'/>
<id>urn:sha1:ef4b31498d01e003117767fe2c1308f37c43080a</id>
<content type='text'>
Pick commit per NVD CVE report.

(From OE-Core rev: cd7ce80fa1a99916aa2f93c4d9591c5496c3ef71)

(From OE-Core rev: ddb6453a751efb2c07b0866a1aace9d4adb55089)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
