Upstream (go.dev) will not help us, they have 6 months LTS policy compared to Yocto with 4 years.
This is a usual problem for LTS distributions, there are always some open CVEs where backporting fixes is too difficult or even impossible. go-binary-native is unfortunately one of these cases where fixing CVEs is impractical. It would require us to change go toolchain bootstrapping (without any clear vision how) or to generate precompiled binaries ourselves. Question is if there is any practical attack possible on Yocto go toolchain bootstrapping process or if someone has native go recipes where it would also be used. If you are worried about this for your project, meta-lts-mixins is probably the easiest way how to get rid of these CVEs from your vulnerability reports. Or to use current Yocto release instead of LTS which with increase age always gather unfixed CVEs. Peter From: Jose Quaresma <[email protected]> Sent: Thursday, February 12, 2026 19:06 To: [email protected] Cc: Khem Raj <[email protected]>; Viral Chavda (vchavda) <[email protected]>; [email protected]; Marko, Peter (FT D EU SK BFS1) <[email protected]> Subject: Re: [OE-core] Clarification on handling recent CVEs for go-binary-native package Hi Deepak, The go-binary-native was used to bootstrap the go toolchain, we take it from the official go upstream https://go.dev/dl. Perhaps this is the ideal place to report such problems, so that they can create new binary packages with the referred CVE fixed. Jose Deepak Rathore via lists.openembedded.org<http://lists.openembedded.org> <[email protected]<mailto:[email protected]>> escreveu (quinta, 12/02/2026 à(s) 11:15): Hello Khem Raj, Several new CVEs have been assigned to go-binary-native package (as listed below). Based on the recipe, it’s been observed that it uses prebuilt instead of being built from source code. Can you please help to understand the procedures and how we can address applicable CVEs for these packages? Do we have any identified plan to address it? CVEs affecting go-binary-native: 1. CVE-2025-4674 (CVSS 8.6) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-4674 1. CVE-2025-47906 (CVSS 6.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-47906 1. CVE-2025-47907 (CVSS 7.0) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-47907 1. CVE-2025-47912 (CVSS 5.3) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-47912 1. CVE-2025-58185 (CVSS 5.3) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-58185 1. CVE-2025-58187 (CVSS 7.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-58187 1. CVE-2025-58188 (CVSS 7.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-58188 1. CVE-2025-58189 (CVSS 5.3) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-58189 1. CVE-2025-61723 (CVSS 7.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61723 1. CVE-2025-61724 (CVSS 5.3) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61724 1. CVE-2025-61726 (CVSS 7.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61726 1. CVE-2025-61727 (CVSS 6.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61727 1. CVE-2025-61728 (CVSS 6.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61728 1. CVE-2025-61729 (CVSS 7.5) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61729 1. CVE-2025-61730 (CVSS 5.3) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61730 1. CVE-2025-61731 (CVSS 7.8) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61731 1. CVE-2025-68119 (CVSS 7.0) – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-68119 1. CVE-2025-22873 (CVSS3: 3.8) - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-22873 1. CVE-2025-61732 (CVSS3: 8.6) - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-61732 1. CVE-2025-68121 (CVSS3: 10.0) - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-68121 Thanks for the guidance. Regards, Deepak Rathore -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231073): https://lists.openembedded.org/g/openembedded-core/message/231073 Mute This Topic: https://lists.openembedded.org/mt/117772424/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
