[OE-core] [warrior 18/19] go: fix CVE-2019-16276

Andrey Zhizhikin andrey.z at gmail.com
Fri Nov 1 18:31:40 UTC 2019 

On Fri, Nov 1, 2019 at 7:12 PM Martin Jansa <martin.jansa at gmail.com> wrote:
>
> I've reported the same yesterday:
> http://lists.openembedded.org/pipermail/openembedded-core/2019-October/288638.html
>
> and sent upgrade to match the minor version used in warrior to the one in zeus (which resolves the patch to apply cleanly):
> http://lists.openembedded.org/pipermail/openembedded-core/2019-October/288656.html

I've actually just found your upgrade patches from yesterday, and they
should solve the issue. I guess it was just the fact that upgrade to
1.12.9 didn't make it to warrior yet - I've ended up with the state
where I had 1.12.1 in warrior for recipe, and patch from 1.12.9.

Once your patches would land in warrior repo - this hunk would be
resolved, since the patch is actually made for 1.12.9 and that is why
there are no complaints from master now.

>
> I don't use go for anything, but go 1.11 was also updated in thud:
> http://lists.openembedded.org/pipermail/openembedded-core/2019-October/287724.html
> so I was assuming that this minor upgrade in 1.12 should be safe enough for warrior as well.
>
> Regards,
>
> On Fri, Nov 1, 2019 at 6:40 PM Khem Raj <raj.khem at gmail.com> wrote:
>>
>> On Fri, Nov 1, 2019 at 10:33 AM Andrey Zhizhikin <andrey.z at gmail.com> wrote:
>> >
>> > Hello Armin,
>> >
>> > On Tue, Oct 29, 2019 at 10:50 AM Armin Kuster <akuster808 at gmail.com> wrote:
>> > >
>> > > From: Chen Qi <Qi.Chen at windriver.com>
>> > >
>> > > Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>> > > Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
>> > > (cherry picked from commit e31f87e289dfd3bbca961e927447a9c7ba816d3f)
>> > > Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> > > (cherry picked from commit e02e8fa2e82cceaaa6a433466f52f97b0984762a)
>> > > Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> > > ---
>> >
>> > This  patch didn't apply clean on warrior, but same patch on master
>> > seems to be OK. I got a hunk in transport_test.go which has been
>> > resolved by build, but since this is security-related patch I wanted
>> > to bring some attention here.
>> >
>>
>> if its failing in testcase as a last report we can drop that if that
>> hunk is not backportable.
>> > >
>> > > --
>> > > _______________________________________________
>> > > Openembedded-core mailing list
>> > > Openembedded-core at lists.openembedded.org
>> > > http://lists.openembedded.org/mailman/listinfo/openembedded-core
>> >
>> > --
>> > Regards,
>> > Andrey.
>> > --
>> > _______________________________________________
>> > Openembedded-core mailing list
>> > Openembedded-core at lists.openembedded.org
>> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Regards,
Andrey.

More information about the Openembedded-core mailing list