ALT-PU-2025-3852-3

Package golang updated to version 1.23.7-alt1 for branch c10f2 in task 376932.

Уязвимость пакетов net/http, x/net/proxy и x/net/http/httpproxy языка программирования Go, позволяющая нарушителю оказать воздействие на конфиденциальность и доступность защищаемой информации

Severity: MEDIUM (4.4)Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Severity: LOW (3.2)Vector: AV:L/AC:L/Au:S/C:P/I:N/A:P

References:

CVE-2025-22870

Уязвимость компонента crypto-elliptic языка программирования Golang, позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: MEDIUM (4.0)Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: LOW (2.1)Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

References:

CVE-2025-22866

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

Severity: MEDIUM (4.0)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity: MEDIUM (4.4)Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References:

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Severity: MEDIUM (4.4)Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References:

Version: 2.1.2

Package golang update in c10f2 on 2025-03-06

ALT-PU-2025-3852-3

Closed vulnerabilities

BDU:2025-02476

BDU:2025-03456

CVE-2025-22866

CVE-2025-22870

GHSA-qxp5-gwg8-xv66