mirror of
https://git.yoctoproject.org/poky
synced 2026-03-02 13:29:40 +01:00
d9cfb16b8b
Dunfell uses golang 1.14 which does not contain the affected code (it was introduced in golang 1.16). From the golang announcement [1] "Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. [1] https://groups.google.com/g/golang-announce/c/0fM21h43arc (From OE-Core rev: 2329902f994b631d6b77e8bd501d5599db6d5306) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>