Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2023-45289 [1.21 backport] #65385

Closed
gopherbot opened this issue Jan 30, 2024 · 2 comments
Closed

security: fix CVE-2023-45289 [1.21 backport] #65385

gopherbot opened this issue Jan 30, 2024 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.21.8

Comments

@gopherbot
Copy link

@neild requested issue #65065 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 30, 2024
@gopherbot gopherbot mentioned this issue Jan 30, 2024
Closed
@gopherbot gopherbot added this to the Go1.21.7 milestone Jan 30, 2024
@neild neild added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 30, 2024
@gopherbot gopherbot modified the milestones: Go1.21.7, Go1.21.8 Feb 6, 2024
@gopherbot
Copy link
Author

Change https://go.dev/cl/569239 mentions this issue: [release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

gopherbot pushed a commit that referenced this issue Mar 5, 2024
@neild @gopherbot
[release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain…
20586c0 
… matches on IPv6 zones

When deciding whether to forward cookies or sensitive headers
across a redirect, do not attempt to interpret an IPv6 address
as a domain name.

Avoids a case where a maliciously-crafted redirect to an
IPv6 address with a scoped addressing zone could be
misinterpreted as a within-domain redirect. For example,
we could interpret "::1%.www.example.com" as a subdomain
of "www.example.com".

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Fixes CVE-2023-45289
Fixes #65385
For #65065

Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
@gopherbot
Copy link
Author

Closed by merging 20586c0 to release-branch.go1.21.

@StephenButtolph StephenButtolph mentioned this issue Mar 5, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.21.8
Development

No branches or pull requests
2 participants
@neild @gopherbot