Skip to content

Update CVE patches to fix CVE issues #661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andy-vm merged 1 commit into from
Jan 22, 2026
Merged

Update CVE patches to fix CVE issues #661

andy-vm merged 1 commit into from
Jan 22, 2026
+312 −1

Conversation

@polmoorx
Copy link
Contributor

@polmoorx polmoorx commented Jan 6, 2026
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR

  • The changes in the PR have been built and tested
  • cgmanifest file has been updated if required
  • Ready to merge

Description

Any Newly Introduced Dependencies

NO

How Has This Been Tested?

Manually tested.

@polmoorx polmoorx force-pushed the upgrade_go_to_fix_CVE branch from aa721ee to 8c6dd71 Compare January 7, 2026 07:33
@polmoorx polmoorx marked this pull request as ready for review January 7, 2026 09:33
@polmoorx polmoorx requested a review from a team as a code owner January 7, 2026 09:33
liulis-sg
liulis-sg reviewed Jan 8, 2026
View reviewed changes
andy-vm
andy-vm requested changes Jan 8, 2026
View reviewed changes
@polmoorx polmoorx force-pushed the upgrade_go_to_fix_CVE branch 2 times, most recently from b65a6d2 to cc62f82 Compare January 8, 2026 09:30
@andy-vm
Copy link
Contributor

andy-vm commented Jan 9, 2026

upgrading from 1.25.1 to 1.25.5 is fine, if there is cve reported

no need to change go version in caddy and rpc go and enable cgo

@polmoorx polmoorx force-pushed the upgrade_go_to_fix_CVE branch from cc62f82 to d1d168d Compare January 14, 2026 17:59
@polmoorx polmoorx changed the title Update Go version to fix CVE issues Update CVE patches to fix CVE issues Jan 14, 2026
@polmoorx
Copy link
Contributor Author

polmoorx commented Jan 14, 2026

upgrading from 1.25.1 to 1.25.5 is fine, if there is cve reported

no need to change go version in caddy and rpc go and enable cgo

Thank you for the review. I have reverted the changes.

@andy-vm
Copy link
Contributor

andy-vm commented Jan 15, 2026

LGTM
please also share test result, log or screenshot

@polmoorx
Copy link
Contributor Author

polmoorx commented Jan 15, 2026
edited by andy-vm
Loading

LGTM please also share test result, log or screenshot

Hi @andy-vm,

Thank you for review.

CVE resolved snap from bdba:
image

For Jenkins Build please see On Demand Developer Build#1526.

@aaroncyew
Copy link
Member

aaroncyew commented Jan 16, 2026
edited
Loading

@andy-vm @liulis-sg @polmoorx
the CVE patch is looking for this golang code vendor/github.com/google/certificate-transparency-go/x509/verify.go

kindly revisit the changes

@andy-vm
Copy link
Contributor

andy-vm commented Jan 19, 2026
edited
Loading

@polmoorx please double check the CVE test result and share CVE scan url

@polmoorx
Copy link
Contributor Author

polmoorx commented Jan 19, 2026

@andy-vm @liulis-sg @polmoorx the CVE patch is looking for this golang code vendor/github.com/google/certificate-transparency-go/x509/verify.go

kindly revisit the changes

@aaroncyew,

As discussed, we rebuilt the spec locally and did not observe any issues with the current patch.

@open-edge-platform open-edge-platform deleted a comment from polmoorx Jan 20, 2026
@polmoorx polmoorx force-pushed the upgrade_go_to_fix_CVE branch from d1d168d to d3a804e Compare January 20, 2026 03:50
@aaroncyew aaroncyew self-requested a review January 20, 2026 11:35
aaroncyew
aaroncyew previously approved these changes Jan 20, 2026
View reviewed changes
Copy link
Member

@aaroncyew aaroncyew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, CVE patch and srpm build has been reviewed.

srpm build logs is attached to JIRA ticket for this fix.

@polmoorx polmoorx force-pushed the upgrade_go_to_fix_CVE branch from d3a804e to 29186ca Compare January 20, 2026 12:37
@polmoorx
Update CVE patches to fix CVE issues
9b1fb0a 
- Include fix for CVE-2025-61727 and CVE-2025-61729.

- Updated caddy.spec file to update release,
  bump version, and add changelog entries.

Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com>
@polmoorx polmoorx force-pushed the upgrade_go_to_fix_CVE branch from 29186ca to 9b1fb0a Compare January 22, 2026 08:30
andy-vm
andy-vm approved these changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@andy-vm andy-vm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andy-vm andy-vm merged commit 9169fda into open-edge-platform:3.0-dev Jan 22, 2026
14 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liulis-sg liulis-sg liulis-sg left review comments

@cheeyanglee cheeyanglee cheeyanglee approved these changes

@andy-vm andy-vm andy-vm approved these changes

@aaroncyew aaroncyew aaroncyew left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@polmoorx @andy-vm @aaroncyew @cheeyanglee @liulis-sg