serv/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-04-04 03:34:39 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions8

Update module golang.org/x/net to v0.36.0 [SECURITY] (v10.0/forgejo) ()

Browse source 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | require | minor | [`v0.33.0` -> `v0.36.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.33.0...refs/tags/v0.36.0) |

---

> ⚠️ **Warning**
>
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
[CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)

<details>
<summary>More information</summary>

#### Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

#### Severity
Unknown

#### References
- [https://go.dev/cl/654697](https://go.dev/cl/654697)
- [https://go.dev/issue/71984](https://go.dev/issue/71984)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3503) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
[CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870) / [GHSA-qxp5-gwg8-xv66](https://github.com/advisories/GHSA-qxp5-gwg8-xv66) / [GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)

<details>
<summary>More information</summary>

#### Details
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

#### Severity
- CVSS Score: 4.4 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L`

#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870)
- [https://go-review.googlesource.com/q/project:net](https://go-review.googlesource.com/q/project:net)
- [https://go.dev/cl/654697](https://go.dev/cl/654697)
- [https://go.dev/issue/71984](https://go.dev/issue/71984)
- [https://pkg.go.dev/vuln/GO-2025-3503](https://pkg.go.dev/vuln/GO-2025-3503)
- [http://www.openwall.com/lists/oss-security/2025/03/07/2](http://www.openwall.com/lists/oss-security/2025/03/07/2)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qxp5-gwg8-xv66) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNS4xIiwidGFyZ2V0QnJhbmNoIjoidjEwLjAvZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7303
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
This commit is contained in:
Renovate Bot 2025-03-22 16:47:19 +00:00 committed by Earl Warren
parent a35a3b6731
commit 0f5182d0c6
2 changed files with 3 additions and 3 deletions

2
go.mod
View file

@ -103,7 +103,7 @@ require (
go.uber.org/mock v0.4.0
golang.org/x/crypto v0.35.0
golang.org/x/image v0.23.0
golang.org/x/net v0.33.0
golang.org/x/net v0.36.0
golang.org/x/oauth2 v0.27.0
golang.org/x/sync v0.11.0
golang.org/x/sys v0.30.0

4
go.sum
View file

@ -1631,8 +1631,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=