Re: [OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

Tue, 26 Mar 2024 01:52:33 -0700 

On Tue, 2024-03-26 at 13:09 +0530, Vijay Anusuri via
lists.openembedded.org wrote:
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
> @@ -0,0 +1,121 @@
> +From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00
> 2001
> +From: Damien Neil <[email protected]>
> +Date: Thu, 11 Jan 2024 11:31:57 -0800
> +Subject: [PATCH] [release-branch.go1.21] net/http,
> net/http/cookiejar: avoid
> + subdomain matches on IPv6 zones
> +
> +When deciding whether to forward cookies or sensitive headers
> +across a redirect, do not attempt to interpret an IPv6 address
> +as a domain name.
> +
> +Avoids a case where a maliciously-crafted redirect to an
> +IPv6 address with a scoped addressing zone could be
> +misinterpreted as a within-domain redirect. For example,
> +we could interpret "::1%.www.example.com" as a subdomain
> +of "www.example.com".
> +
> +Thanks to Juho Nurminen of Mattermost for reporting this issue.
> +
> +Fixes CVE-2023-45289
> +Fixes #65385
> +For #65065
> +
> +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
> +Reviewed-by: Tatiana Bradley <[email protected]>
> +Reviewed-by: Roland Shoemaker <[email protected]>
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
> +Reviewed-by: Carlos Amedee <[email protected]>
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
> +Reviewed-by: Carlos Amedee <[email protected]>
> +Auto-Submit: Michael Knyszek <[email protected]>
> +TryBot-Bypass: Michael Knyszek <[email protected]>
> +
> +Upstream-Status: Backport
> [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee
> 287591a1]
> +CVE: CVE-45289

Incorrect CVE number here ...

Thanks,

Anuj

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197531): 
https://lists.openembedded.org/g/openembedded-core/message/197531
Mute This Topic: https://lists.openembedded.org/mt/105154485/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to