Update CVE patches to fix CVE issues #661
Conversation
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
aa721ee to
8c6dd71
Compare
SPECS/caddy/caddy.spec
Outdated
| # https://github.com/caddyserver/caddy/commit/2028da4e74cd41f0f7f94222c6599da1a371d4b8 | ||
| BuildRequires: golang >= 1.24.4 | ||
| BuildRequires: golang < 1.25 | ||
| BuildRequires: golang <= 1.25.5 |
There was a problem hiding this comment.
BuildRequires: golang <= 1.25.5 is not required , since this is the latest version
There was a problem hiding this comment.
why we need to remove BuildRequires: golang < 1.25 here? caddy requires only 1.23, no need to use 1.25 and enable cgo
There was a problem hiding this comment.
Hi @liulis-sg , @andy-vm,
Thank you for the review. The CVEs have been patched, and this PR has been updated to address only the Caddy-related CVEs. A separate PR will be raised for the RPC changes.
SPECS/rpc/rpc.spec
Outdated
| Source1: %{name}-%{version}-vendor.tar.gz | ||
| BuildRequires: golang >= 1.24.4 | ||
| BuildRequires: golang < 1.25.0 | ||
| BuildRequires: golang <= 1.25.5 |
There was a problem hiding this comment.
BuildRequires: golang <= 1.25.5 is not required since this is the latest version
There was a problem hiding this comment.
Hi @liulis-sg,
Reverted the changes as it is not needed here. Thank you
SPECS/caddy/caddy.spec
Outdated
| export GO111MODULE=off | ||
| export GOPATH=$PWD | ||
| CGO_ENABLED=0 go build -trimpath -gcflags=-l -ldflags="-X %{goipath}.CustomVersion=v%{version}" -o bin/caddy %{goipath}/cmd/caddy | ||
| CGO_ENABLED=1 go build -trimpath -gcflags=-l -ldflags="-X %{goipath}.CustomVersion=v%{version}" -o bin/caddy %{goipath}/cmd/caddy |
There was a problem hiding this comment.
why enable cgo? pls see here https://github.com/caddyserver/caddy/blob/v2.9.1/.github/workflows/cross-build.yml#L66
There was a problem hiding this comment.
caddy 2.9.1 itself use 1.23 / 1.22, why we need to use 1.25 and introduce CVE?
There was a problem hiding this comment.
Hi @andy-vm,
Thank you for the review. I have reverted CGO_ENABLED=0, and the CVEs have been patched. This PR has been updated to address only the Caddy-related CVEs.
SPECS/rpc/rpc.spec
Outdated
|
|
||
| %build | ||
| export CGO_ENABLED=0 | ||
| export CGO_ENABLED=1 |
There was a problem hiding this comment.
rpc go itself uses 1.24, we no need to use 1.25 here
https://github.com/device-management-toolkit/rpc-go/blob/v2.48.9/go.mod
There was a problem hiding this comment.
Thank you for the review. The RPC changes have been removed from this PR, and a separate PR will be raised for the RPC changes.
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
2 times, most recently
from
b65a6d2 to
cc62f82
Compare
|
upgrading from 1.25.1 to 1.25.5 is fine, if there is cve reported no need to change go version in caddy and rpc go and enable cgo |
- Include fix for CVE-2025-61727 and CVE-2025-61729. - Updated caddy.spec file to update release, bump version, and add changelog entries. Signed-off-by: Polmoorx Shiva Kumar <[email protected]>
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
cc62f82 to
d1d168d
Compare
polmoorx
changed the title
Thank you for the review. I have reverted the changes. |
|
LGTM |
Hi @andy-vm, Thank you for review. CVE resolved snap from bdba: For Jenkins Build please see On-Demand_Developer_Build#1526. |
3 participants
Merge Checklist
All boxes should be checked before merging the PR
Description
bump version, and add changelog entries.
Any Newly Introduced Dependencies
NO
How Has This Been Tested?
Manually tested.