git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Praveen Kumar <praveen.kumar@windriver.com>
	Mon, 3 Feb 2025 09:30:33 +0000 (09:30 +0000)
committer	Steve Sakoman <steve@sakoman.com>
	Mon, 3 Feb 2025 14:28:06 +0000 (06:28 -0800)
commit	63e84b64f055ad7c91de67194e6739c96fb95496
tree	ae832705fb57c672abf1c98115f85ff20ea99403	tree \| snapshot
parent	a397c152abf4f3da1323594e79ebac844a2c9f45	commit \| diff

go: Fix CVE-2024-45336

The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is redirected to
b.com/ will not send that header to b.com. In the event that the client received a subsequent
same-domain redirect, however, the sensitive headers would be restored. For example, a chain
of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the
Authorization header to b.com/2.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-45336

Upstream-patch:
https://github.com/golang/go/commit/b72d56f98d6620ebe07626dca4bb67ea8e185379

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/go/go-1.17.13.inc		diff \| blob \| blame \| history
meta/recipes-devtools/go/go-1.21/CVE-2024-45336.patch	[new file with mode: 0644]	blob