go: Fix CVE-2024-45336 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Praveen Kumar <praveen.kumar@windriver.com>	2025-02-03 09:30:33 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-02-15 06:04:43 -0800
commit	212172aa139122668bc847ed012ecb8ec8d11acb (patch)
tree	4ffc07c471cb2102a5beff8e07c5234ca95504c7 /scripts/lib/devtool/runqemu.py
parent	6840d3b71ed6adfcd2c2e46daf8a93d3755c5d99 (diff)
download	poky-212172aa139122668bc847ed012ecb8ec8d11acb.tar.gz

go: Fix CVE-2024-45336

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45336 Upstream-patch: https://github.com/golang/go/commit/b72d56f98d6620ebe07626dca4bb67ea8e185379 (From OE-Core rev: 63e84b64f055ad7c91de67194e6739c96fb95496) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'scripts/lib/devtool/runqemu.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: