Update CVE patches to fix CVE issues#661
Merged
andy-vm merged 1 commit intoopen-edge-platform:3.0-devfrom Jan 22, 2026
Merged
Conversation
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
aa721ee to
8c6dd71
Compare
liulis-sg
reviewed
Jan 8, 2026
andy-vm
requested changes
Jan 8, 2026
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
2 times, most recently
from
b65a6d2 to
cc62f82
Compare
Contributor
|
upgrading from 1.25.1 to 1.25.5 is fine, if there is cve reported no need to change go version in caddy and rpc go and enable cgo |
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
cc62f82 to
d1d168d
Compare
polmoorx
changed the title
Contributor
Author
Thank you for the review. I have reverted the changes. |
Contributor
|
LGTM |
Contributor
Author
Hi @andy-vm, Thank you for review. CVE resolved snap from bdba: For Jenkins Build please see On Demand Developer Build#1526. |
Member
|
@andy-vm @liulis-sg @polmoorx kindly revisit the changes |
Contributor
|
@polmoorx please double check the CVE test result and share CVE scan url |
Contributor
Author
As discussed, we rebuilt the spec locally and did not observe any issues with the current patch. |
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
d1d168d to
d3a804e
Compare
aaroncyew
previously approved these changes
Jan 20, 2026
Member
aaroncyew
left a comment
aaroncyew
left a comment
There was a problem hiding this comment.
+1, CVE patch and srpm build has been reviewed.
srpm build logs is attached to JIRA ticket for this fix.
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
d3a804e to
29186ca
Compare
- Include fix for CVE-2025-61727 and CVE-2025-61729. - Updated caddy.spec file to update release, bump version, and add changelog entries. Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com>
polmoorx
force-pushed
the
upgrade_go_to_fix_CVE
branch
from
29186ca to
9b1fb0a
Compare
cheeyanglee
approved these changes
Jan 22, 2026
cheeyanglee
pushed a commit
to cheeyanglee/edge-microvisor-toolkit
that referenced
this pull request
Jan 23, 2026
- Include fix for CVE-2025-61727 and CVE-2025-61729. - Updated caddy.spec file to update release, bump version, and add changelog entries. Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com>
cheeyanglee
added a commit
that referenced
this pull request
Jan 23, 2026
* ip4save config change (#620) * Update full.json Added ip4save changes for iso * Create configure-ip4save.sh Post installation script for iso to allow type 8 incoming ping * Separated post installation paths in full.json * Fixed file permission for configure-ip4save.sh * Fixed indentation for full.json --------- Co-authored-by: andy-vm <108446482+andy-vm@users.noreply.github.com> Co-authored-by: Mohamad Noor Alim Hussin <mohamad.noor.alim.hussin@intel.com> * Upgrade otelcol-contrib version to fix CVE. (#623) - Upgrade version to 0.141.0. - Remove CVE-2025-22872.patch since changes are part of latest version. - Fixes CVE-2025-47913, CVE-2025-47914 and CVE-2025-58181. Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com> Co-authored-by: andy-vm <108446482+andy-vm@users.noreply.github.com> * Upgrade the RPC version from 2.45.1 to 2.48.9 (#619) - Upgraded the RPC from 2.45.1 to 2.48.9 to resolve the CVE-2025-47914, CVE-2025-58181 and CVE-2025-47913. - Update the rpc.spec file with release, dump version and changelog entry. Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com> * restore caddy (#642) * restore caddy * restore caddy --------- Co-authored-by: andy.peng <andypeng@pglgull002.png.intel.com> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> * CVE Fix for x-crypto component in caddy (#672) - Applied suggested patch from NVD database for - CVE-2025-58181. Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com> Co-authored-by: andy-vm <108446482+andy-vm@users.noreply.github.com> * Removed go-rpm-macros dependency in caddy.spec (#689) * Update CVE patches to fix CVE issues (#661) - Include fix for CVE-2025-61727 and CVE-2025-61729. - Updated caddy.spec file to update release, bump version, and add changelog entries. Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com> --------- Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com> Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Co-authored-by: chrngc <149708414+chrngc@users.noreply.github.com> Co-authored-by: andy-vm <108446482+andy-vm@users.noreply.github.com> Co-authored-by: Mohamad Noor Alim Hussin <mohamad.noor.alim.hussin@intel.com> Co-authored-by: bunnichx <101382885+bunnichx@users.noreply.github.com> Co-authored-by: POLMOOR SHIVA KUMAR <polmoorx.shiva.kumar@intel.com> Co-authored-by: andy.peng <andypeng@pglgull002.png.intel.com>
ssinghax
pushed a commit
to ssinghax/edge-microvisor-toolkit
that referenced
this pull request
Feb 6, 2026
* Add triage for x-crypto component of caddy package. (open-edge-platform#116) - ported the patch and PR open-edge-platform#672 is created in EMT open-edge - repo. Hence, marking CVE-2025-58181 as patched. Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com> Reviewed-by: Aaron Chan <aaron.chun.yew.chan@intel.com> * override device-management-toolkit-rpc-go for rpc (open-edge-platform#113) - Override device-management-toolkit-rpc-go version to v2.48.9 Signed-off-by: RajeshX Shanmugam <rajesh1x.shanmugam@intel.com> Reviewed-by: Aaron Chan <aaron.chun.yew.chan@intel.com> * Upgrade version for qemu (open-edge-platform#114) - Add qemu version 9.1.0 to 10.0.4 - Remove triage CVEs, no longer required. Signed-off-by: RajeshX Shanmugam <rajesh1x.shanmugam@intel.com> Reviewed-by: Aaron Chan <aaron.chun.yew.chan@intel.com> * Add triage for golang-runtime component of caddy. (open-edge-platform#119) - ported the patch and PR open-edge-platform#661 is created in EMT - marked CVE-2025-61727 and CVE-2025-61729 as patched. Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com> Reviewed-by: Aaron Chan <aaron.chun.yew.chan@intel.com> * gstreamer1 version v1.26.5 on next branch Signed-off-by: Aaron Chan <aaron.chun.yew.chan@intel.com> --------- Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com> Signed-off-by: RajeshX Shanmugam <rajesh1x.shanmugam@intel.com> Signed-off-by: Polmoorx Shiva Kumar <polmoorx.shiva.kumar@intel.com> Signed-off-by: Aaron Chan <aaron.chun.yew.chan@intel.com> Co-authored-by: bunnichx <101382885+bunnichx@users.noreply.github.com> Co-authored-by: Rajesh Shanmugam <rajesh1x.shanmugam@intel.com> Co-authored-by: POLMOOR SHIVA KUMAR <polmoorx.shiva.kumar@intel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR
Description
bump version, and add changelog entries.
Any Newly Introduced Dependencies
NO
How Has This Been Tested?
Manually tested.