[scarthgap,3/9] go: ignore CVE-2025-0913

Message ID	ec1c6ab989b298773e8df8a6a4532f88b93617ff.1755276097.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.44, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 3/9] go: ignore CVE-2025-0913 Date: Fri, 15 Aug 2025 09:44:54 -0700 Message-ID: <ec1c6ab989b298773e8df8a6a4532f88b93617ff.1755276097.git.steve@sakoman.com> In-Reply-To: <cover.1755276097.git.steve@sakoman.com> References: <cover.1755276097.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,1/9] avahi: fix CVE-2024-52615 \| expand [scarthgap,1/9] avahi: fix CVE-2024-52615 [scarthgap,2/9] python3: patch CVE-2025-8194 [scarthgap,3/9] go: ignore CVE-2025-0913 [scarthgap,4/9] gstreamer1.0-plugins-base: fix CVE-2025-47808 [scarthgap,5/9] gstreamer1.0-plugins-base: fix CVE-2025-47806 [scarthgap,6/9] gstreamer1.0-plugins-good: fix multiple CVEs [scarthgap,7/9] libpam: re-add missing libgen include [scarthgap,8/9] cmake: Add PACKAGECONFIG option for debugger support [scarthgap,9/9] go-helloworld: fix license

Message ID

ec1c6ab989b298773e8df8a6a4532f88b93617ff.1755276097.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 3/9] go: ignore CVE-2025-0913
Date: Fri, 15 Aug 2025 09:44:54 -0700
Message-ID: 
 <ec1c6ab989b298773e8df8a6a4532f88b93617ff.1755276097.git.steve@sakoman.com>
In-Reply-To: <cover.1755276097.git.steve@sakoman.com>
References: <cover.1755276097.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,1/9] avahi: fix CVE-2024-52615 | expand

Commit Message

Steve Sakoman Aug. 15, 2025, 4:44 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

This is problem on Windows platform only.

Per NVD report [1], CPE has "and" clause
Running on/with
 cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Also linked patch [2] changes Windows files only (and tests).

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-0913
[2] https://go-review.googlesource.com/c/go/+/672396

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index af09cb52cd..ea57b23c3e 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -19,3 +19,5 @@  SRC_URI += "\
     file://CVE-2025-4673.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
+
+CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows"

[scarthgap,3/9] go: ignore CVE-2025-0913

Commit Message

Patch