Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Mageia: 2025-0175 critical: golang improper proxy matching

mageia
Calendar Grey June 2, 2025
Dist Mageia Esm H88
Recent updates to Golang libraries in Mageia address critical networking problems caused by misconfigured proxies and other significant connectivity issues.
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component

Summary

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied - CVE-2025-22870. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext - CVE-2025-22871.

References

- https://bugs.mageia.org/show_bug.cgi?id=34078

- https://www.openwall.com/lists/oss-security/2025/03/07/2

- https://www.openwall.com/lists/oss-security/2025/04/04/4

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFNTP3P4URUREHKSWZQWIJPIXGRCFHUI/

- https://www.cve.org/CVERecord?id=CVE-2025-22870

- https://www.cve.org/CVERecord?id=CVE-2025-22871

Topics%20covered

Topics Covered

security advisory request smuggling proxy configuration network issue golang Mageia

Resolution

SRPMS

- 9/core/golang-1.23.8-1.mga9

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 02 Jun 2025
URL: https://advisories.mageia.org/MGASA-2025-0175.html
Type: security
CVE: CVE-2025-22870, CVE-2025-22871

Topics%20covered

Topics Covered

security advisory request smuggling proxy configuration network issue golang Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here