Update golang.org/x/net to address two CVEs#74
Conversation
|
Related to #71, but updates to latest version |
|
@kevinmcconnell Any chance you could cut a release with the CVE fixes in? Just wanted to ask politely. |
|
@kevinmcconnell just wanted to touch base on addressing this CVE, and the already-merged-but-not-released CVE fix 5f38465 |
matthewbjones
force-pushed
the
fix/go-net-0.37.0
branch
from
3ae7974 to
31d2b00
Compare
matthewbjones
changed the title
|
@kevinmcconnell updated PR to address another CVE (CVE-2025-22872) |
|
Thanks @matthewbjones, I'll get this shipped! |
|
@kevinmcconnell I got one more CVE fix incoming |
|
@matthewbjones ah, I just shipped a new version before seeing that message! But I had also bumped the Go version to latest, so I think we're all good? |
|
@kevinmcconnell no worries, I see you've released |
|
@kevinmcconnell I can confirm that Thanks for working with me to get those dependencies updated |
|
Great, thanks @matthewbjones. I appreciate your help with these! |
3 participants
Addresses two CVEs in
golang/netby upgrading to0.39.0(latest)CVE-2025-22870 (4.4 score, fixed in
0.36.0)Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22872 (5.3 score, fixed in
0.38.0)The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
Fixes Issue #73