diff mbox series

go: set status for CVE-2024-24786

Message ID 20260415183257.1868823-1-peter.marko@siemens.com
State New
Headers show
Series go: set status for CVE-2024-24786 | expand

Commit Message

Peter Marko April 15, 2026, 6:32 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

cvelistV5 has wrong CPE:
* "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*"

The CVE is actually for golang-google-protobuf as links in the CVE
report prove:
* https://pkg.go.dev/vuln/GO-2024-2611

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-devtools/go/go-binary-native_1.26.2.bb | 1 +
 meta/recipes-devtools/go/go-common.inc              | 1 +
 2 files changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-devtools/go/go-binary-native_1.26.2.bb b/meta/recipes-devtools/go/go-binary-native_1.26.2.bb
index 380174f3cb..d9006373f6 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.26.2.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.26.2.bb
@@ -18,6 +18,7 @@  UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
 
 CVE_PRODUCT = "golang:go"
 CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2024-24786] = "cpe-incorrect: this CVE is for golang-google-protobuf"
 
 S = "${UNPACKDIR}/go"
 
diff --git a/meta/recipes-devtools/go/go-common.inc b/meta/recipes-devtools/go/go-common.inc
index 061db4296c..5d0177bdb6 100644
--- a/meta/recipes-devtools/go/go-common.inc
+++ b/meta/recipes-devtools/go/go-common.inc
@@ -22,6 +22,7 @@  UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
 # all recipe variants are created from the same product
 CVE_PRODUCT = "golang:go"
 CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2024-24786] = "cpe-incorrect: this CVE is for golang-google-protobuf"
 
 INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 SSTATE_SCAN_CMD = "true"