ALT-BU-2025-5149-2

Branch p10 update bulletin.

Package golang updated to version 1.23.8-alt1 for branch p10 in task 379945.

Уязвимость пакета net/http языка программирования Go, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.1)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: CRITICAL (9.4)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N

References:

CVE-2025-22871

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Severity: CRITICAL (9.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Traefik affected by Go HTTP Request Smuggling Vulnerability

Severity: CRITICAL (9.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency

Severity: CRITICAL (9.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency

Severity: CRITICAL (9.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

Version: 2.1.2

Branch p10 update on 2025-04-04

ALT-BU-2025-5149-2

ALT-PU-2025-5091-3

Closed vulnerabilities

BDU:2025-04014

CVE-2025-22871

GHSA-5423-jcjm-2gpv

GHSA-6jqf-mv7m-3q7p

GHSA-g9pc-8g42-g6vq