Upgrade the RPC component version from 2.45.1 to 2.48.9

polmoorx · polmoorx · commit 44d3c3f4d46a · 2025-12-09T14:03:41.000+05:30
- Upgraded the RPC from 2.45.1 to 2.48.9 to resolve the CVE-2025-47914, CVE-2025-58181, CVE-2025-47913. - Update the rpc.spec file with release, dump version and changelog entry. Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com>
diff --git a/SPECS/rpc/rpc.signatures.json b/SPECS/rpc/rpc.signatures.json
@@ -1,5 +1,6 @@
 {
   "Signatures": {
-    "rpc-go-2.45.1.tar.gz": "54dcb9a72593f7eef02a35255bc5f79636fd7832d26b0fb1189ad300259178f9"
+    "rpc-go-2.48.9.tar.gz": "bb9cb58d04aca82730c74ae801ce25eb48f18665824d0d351e3e00f68a267584",
+    "rpc-2.48.9-vendor.tar.gz": "4e3c2d407de386317aff1f841c1ca99ce123dfd6d1abc277f12047036418189a"
   }
 }
diff --git a/SPECS/rpc/rpc.spec b/SPECS/rpc/rpc.spec
@@ -1,12 +1,13 @@
 Summary:        Remote Provisioning Client for Intel AMT
 Name:           rpc
-Version:        2.45.1
-Release:        3%{?dist}
+Version:        2.48.9
+Release:        1%{?dist}
 License:        Apache-2.0
 Vendor:         Intel Corporation
 Distribution:   Edge Microvisor Toolkit
 URL:            https://github.com/device-management-toolkit/rpc-go
 Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz#/%{name}-go-%{version}.tar.gz
+Source1:	%{name}-%{version}-vendor.tar.gz
 BuildRequires:  golang >= 1.24.4
 BuildRequires:  golang < 1.25.0
 %global modulename      rpc
@@ -20,20 +21,22 @@ connectivity between the edge node and ITEP.
 
 %prep
 %setup -q -n rpc-go-%{version}
+tar -xzf %{SOURCE1} -C .
 
 %build
 export CGO_ENABLED=0
 export GOOS=linux
 export GOARCH=amd64
 
 go build \
+    -mod=vendor \
     -ldflags "-X 'rpc/pkg/utils.ProjectVersion=%{version}'" \
     -trimpath \
     -o %{name} \
-    ./cmd/main.go
+    ./cmd/rpc/main.go
 
 %install
-install -D -m0755 %{name} %{buildroot}%{_bindir}/%{name}
+install -D -m 0755 %{name} %{buildroot}%{_bindir}/%{name}
 install -D -m 0644 internal/certs/trustedstore/OnDie_CA_RootCA_Certificate.cer %{buildroot}%{_datadir}/OnDie_CA_RootCA_Certificate.cer
 
 mkdir -p %{buildroot}%{_defaultlicensedir}/%{name}
@@ -46,6 +49,9 @@ cp LICENSE %{buildroot}%{_defaultlicensedir}/%{name}
 %license %{_defaultlicensedir}/%{name}/LICENSE
 
 %changelog
+* Wed Dec 3 2025 Polmoorx shiva kumar <polmoorx.shiva.kumar@intel.com> - 2.48.9-1
+- Upgraded the RPC component version from 2.45.1 to 2.48.9 to fix the CVE-2025-47913, CVE-2025-47914, CVE-2025-58181
+
 * Fri Oct 3 2025 Lee Chee Yang <chee.yang.lee@intel.com> - 2.45.1-3
 - build with golang < 1.25
 
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -26774,8 +26774,8 @@
         "type": "other",
         "other": {
           "name": "rpc",
-          "version": "2.45.1",
-          "downloadUrl": "https://github.com/device-management-toolkit/rpc-go/archive/refs/tags/v2.45.1.tar.gz"
+          "version": "2.48.9",
+          "downloadUrl": "https://github.com/device-management-toolkit/rpc-go/archive/refs/tags/v2.48.9.tar.gz"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "rpc-go-2.45.1.tar.gz": "54dcb9a72593f7eef02a35255bc5f79636fd7832d26b0fb1189ad300259178f9"`
	`3`	`+ "rpc-go-2.48.9.tar.gz": "bb9cb58d04aca82730c74ae801ce25eb48f18665824d0d351e3e00f68a267584",`
	`4`	`+ "rpc-2.48.9-vendor.tar.gz": "4e3c2d407de386317aff1f841c1ca99ce123dfd6d1abc277f12047036418189a"`
`4`	`5`	`}`
`5`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26774,8 +26774,8 @@`
`26774`	`26774`	`"type": "other",`
`26775`	`26775`	`"other": {`
`26776`	`26776`	`"name": "rpc",`
`26777`		`- "version": "2.45.1",`
`26778`		`- "downloadUrl": "https://github.com/device-management-toolkit/rpc-go/archive/refs/tags/v2.45.1.tar.gz"`
	`26777`	`+ "version": "2.48.9",`
	`26778`	`+ "downloadUrl": "https://github.com/device-management-toolkit/rpc-go/archive/refs/tags/v2.48.9.tar.gz"`
`26779`	`26779`	`}`
`26780`	`26780`	`}`
`26781`	`26781`	`},`