net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs #71984
Labels
NeedsFix
The path to resolution is known, but the work has not been done.
Security
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
Comments
|
@gopherbot please open backport issues for this security fix |
|
Backport issue(s) opened: #71985 (for 1.23), #71986 (for 1.24). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
This was referenced Feb 26, 2025
dmitshur
added
Security
NeedsFix
JunyangShao
changed the title
|
Change https://go.dev/cl/654717 mentions this issue: |
|
Change https://go.dev/cl/654795 mentions this issue: |
|
Change https://go.dev/cl/654796 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Mar 4, 2025
This is to update module version to the fixed x/net. For #71984 Change-Id: I7d50e302e8ba7d3ee28df2669fc16f19c12cf088 Reviewed-on: https://go-review.googlesource.com/c/go/+/654795 Reviewed-by: Michael Pratt <[email protected]> Auto-Submit: Junyang Shao <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Junyang Shao <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Mar 4, 2025
This is to update module version to the fixed x/net. For #71984 Change-Id: I8f4357f14a7d44a782c131eb856b50a103be2f2d Reviewed-on: https://go-review.googlesource.com/c/go/+/654796 Reviewed-by: Junyang Shao <[email protected]> Auto-Submit: Junyang Shao <[email protected]> Reviewed-by: Michael Pratt <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Mar 4, 2025
For #71984 Change-Id: Ic15826f09ea818f8833bd3d979bffaede24d49df Reviewed-on: https://go-review.googlesource.com/c/go/+/654717 Reviewed-by: Michael Pratt <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Junyang Shao <[email protected]>
mnencia
added a commit
to cloudnative-pg/plugin-barman-cloud
that referenced
this issue
Mar 5, 2025
see golang/go#71984 Signed-off-by: Marco Nenciarini <[email protected]>
mnencia
added a commit
to cloudnative-pg/plugin-barman-cloud
that referenced
this issue
Mar 5, 2025
See golang/go#71984 Signed-off-by: Marco Nenciarini <[email protected]>
fcanovai
pushed a commit
to cloudnative-pg/plugin-barman-cloud
that referenced
this issue
Mar 5, 2025
See golang/go#71984 Signed-off-by: Marco Nenciarini <[email protected]>
This was referenced Mar 5, 2025
3 tasks
This was referenced Mar 6, 2025
dcermak
pushed a commit
to SUSE/skopeo
that referenced
this issue
Mar 6, 2025
When matching against a host "example.com", don't match an IPv6 address like "[1000::1%25.example.com]:80". Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes CVE-2025-22870 For golang/go#71984 Fixes [bsc#1238685](https://bugzilla.suse.com/show_bug.cgi?id=1238685)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: