go-cross: add patch that corrects patch CVE-2025-61726#471
Open
EdTheBearded wants to merge 1 commit intotorizon:scarthgap-7.x.yfrom
Open
go-cross: add patch that corrects patch CVE-2025-61726#471EdTheBearded wants to merge 1 commit intotorizon:scarthgap-7.x.yfrom
EdTheBearded wants to merge 1 commit intotorizon:scarthgap-7.x.yfrom
Conversation
On openembedded-core, a patch was added addressing CVE-2025-61726 on go recipe, but this patch introduced another bug, which was affecting us in docker (see [1] for explanation). A patch was submitted to OE-core[1], but this is affecting a majority of our tests (that depends on running containers). So, to unblock this, we internalize the patch while it's under review. Once it gets merged, then we can safely remove the recipes-devtools/go folder from this layer. [1] https://patchwork.yoctoproject.org/project/oe-core/patch/20260309165351.311700-1-eduardo.f120@yahoo.com/ Related-to: TOR-4230 Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
EdTheBearded
requested review from
Freireg,
MatheusRodrigues-tor,
Copilot and
rborn-tx
Collaborator
Author
|
FYI @lucas-p-bernardes |
There was a problem hiding this comment.
Pull request overview
This PR internalizes an OpenEmbedded-core patch update for the Go cross recipe to address CVE-2025-61726 without the regression introduced by the original OE-core patch, unblocking container-based tests until the upstream fix is merged.
Changes:
- Add a
go-cross_%.bbappendto remove the existingCVE-2025-61726.patchfromSRC_URIand append a corrected replacement patch from this layer. - Add a backported Go patch implementing
GODEBUG=urlmaxqueryparamsto cap parsed URL query parameters (plus related docs/metrics/test updates in the patch content).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| recipes-devtools/go/go-cross_%.bbappend | Removes the problematic OE-core CVE patch and applies the corrected local replacement patch. |
| recipes-devtools/go/files/0001-net-url-add-urlmaxqueryparams-GODEBUG-to-limit-the-n.patch | Backport patch content for urlmaxqueryparams limit and associated Go source/doc/test changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| @@ -0,0 +1,14 @@ | |||
| # TODO: remove this whole go_1.22.12.bbappend once the fix is included in the upstream release | |||
recipes-devtools/go/files/0001-net-url-add-urlmaxqueryparams-GODEBUG-to-limit-the-n.patch
Show resolved
Hide resolved
recipes-devtools/go/files/0001-net-url-add-urlmaxqueryparams-GODEBUG-to-limit-the-n.patch
Show resolved
Hide resolved
recipes-devtools/go/files/0001-net-url-add-urlmaxqueryparams-GODEBUG-to-limit-the-n.patch
Show resolved
Hide resolved
Collaborator
Author
|
@MatheusRodrigues-tor could you please review this? The sooner we merge this, the sooner we get back our container automated tests. |
MatheusRodrigues-tor
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On openembedded-core, a patch was added addressing CVE-2025-61726 on go recipe, but this patch introduced another bug, which was affecting us in docker (see [1] for explanation).
A patch was submitted to OE-core[1], but this is affecting a majority of our tests (that depends on running containers). So, to unblock this, we internalize the patch while it's under review. Once it gets merged, then we can safely remove the recipes-devtools/go folder from this layer.
[1] https://patchwork.yoctoproject.org/project/oe-core/patch/20260309165351.311700-1-eduardo.f120@yahoo.com/
Related-to: TOR-4230