diff mbox series

[v2,1/1] go: ignore CVE-2023-45283 and CVE-2023-45284

Message ID 20231208104215.1425474-1-soumya.sambu@windriver.com
State New
Headers show
Series [v2,1/1] go: ignore CVE-2023-45283 and CVE-2023-45284 | expand

Commit Message

Sambu, Soumya Dec. 8, 2023, 10:42 a.m. UTC 
From: Soumya Sambu <soumya.sambu@windriver.com>

These CVEs affect path handling on Windows.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45283
https://nvd.nist.gov/vuln/detail/CVE-2023-45284

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 meta/recipes-devtools/go/go-1.20.10.inc | 3 +++
 1 file changed, 3 insertions(+)

Comments

Alexandre Belloni Dec. 9, 2023, 12:25 p.m. UTC | #1 
Hello,

We had go upgrades in between, can you rebase (and check if this is
still needed)?

On 08/12/2023 10:42:15+0000, Soumya via lists.openembedded.org wrote:
> From: Soumya Sambu <soumya.sambu@windriver.com>
> 
> These CVEs affect path handling on Windows.
> 
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-45283
> https://nvd.nist.gov/vuln/detail/CVE-2023-45284
> 
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> ---
>  meta/recipes-devtools/go/go-1.20.10.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-devtools/go/go-1.20.10.inc b/meta/recipes-devtools/go/go-1.20.10.inc
> index 39509ed986..0c0a736084 100644
> --- a/meta/recipes-devtools/go/go-1.20.10.inc
> +++ b/meta/recipes-devtools/go/go-1.20.10.inc
> @@ -16,3 +16,6 @@ SRC_URI += "\
>      file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
>  "
>  SRC_URI[main.sha256sum] = "72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb"
> +
> +CVE_STATUS[CVE-2023-45283] = "not-applicable-platform: Issue only applies on Windows"
> +CVE_STATUS[CVE-2023-45284] = "not-applicable-platform: Issue only applies on Windows"
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#192038): https://lists.openembedded.org/g/openembedded-core/message/192038
> Mute This Topic: https://lists.openembedded.org/mt/103052741/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Sambu, Soumya Dec. 11, 2023, 10:35 a.m. UTC | #2 
Hi Alexandre,

I see that current go version is 1.20.12 which is not vulnerable to these CVEs. Kindly ignore this patch.

Regards,
Soumya
diff mbox series

Patch

diff --git a/meta/recipes-devtools/go/go-1.20.10.inc b/meta/recipes-devtools/go/go-1.20.10.inc
index 39509ed986..0c0a736084 100644
--- a/meta/recipes-devtools/go/go-1.20.10.inc
+++ b/meta/recipes-devtools/go/go-1.20.10.inc
@@ -16,3 +16,6 @@  SRC_URI += "\
     file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
 "
 SRC_URI[main.sha256sum] = "72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb"
+
+CVE_STATUS[CVE-2023-45283] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2023-45284] = "not-applicable-platform: Issue only applies on Windows"