Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module golang.org/x/net to v0.36.0 [security] (v1.2) #3497

Open
wants to merge 1 commit into
base: v1.2
Choose a base branch
from
Open

chore(deps): update module golang.org/x/net to v0.36.0 [security] (v1.2) #3497

wants to merge 1 commit into from
+4,182 −1,772

Conversation

cilium-renovate[bot]
Copy link
Contributor

@cilium-renovate cilium-renovate bot commented Mar 13, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
golang.org/x/net indirect minor v0.33.0 -> v0.36.0

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

CVE-2025-22870 / GHSA-qxp5-gwg8-xv66 / GO-2025-3503

More information

Details

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sorry, something went wrong.

@cilium-renovate cilium-renovate bot added release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies labels Mar 13, 2025
@cilium-renovate cilium-renovate bot requested a review from a team as a code owner March 13, 2025 08:17
@cilium-renovate cilium-renovate bot requested review from olsajiri and removed request for a team March 13, 2025 08:17
@cilium-renovate
Copy link
Contributor Author

cilium-renovate bot commented Mar 13, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined
Command failed: make crds
go: downloading golang.org/x/time v0.5.0
go: downloading k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910
go: downloading k8s.io/klog/v2 v2.120.0
go: downloading github.com/spf13/cobra v1.8.0
go: downloading golang.org/x/oauth2 v0.20.0
go: downloading github.com/onsi/gomega v1.30.0
go: downloading golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
go: downloading github.com/fatih/color v1.16.0
go: downloading github.com/go-openapi/swag v0.22.7
go: downloading github.com/onsi/ginkgo/v2 v2.13.0
go: downloading github.com/go-openapi/jsonreference v0.20.4
go: downloading github.com/go-openapi/jsonpointer v0.20.2
go: downloading github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
go: downloading golang.org/x/mod v0.17.0
Unable to find image 'golang:1.22.12@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02' locally
docker.io/library/golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02: Pulling from library/golang
a492eee5e559: Pulling fs layer
32b550be6cb6: Pulling fs layer
35af2a7690f2: Pulling fs layer
3b7f19923e15: Pulling fs layer
afa154b433c7: Pulling fs layer
1451027d3c0e: Pulling fs layer
4f4fb700ef54: Pulling fs layer
3b7f19923e15: Waiting
afa154b433c7: Waiting
1451027d3c0e: Waiting
4f4fb700ef54: Waiting
32b550be6cb6: Verifying Checksum
32b550be6cb6: Download complete
a492eee5e559: Verifying Checksum
a492eee5e559: Download complete
35af2a7690f2: Verifying Checksum
35af2a7690f2: Download complete
1451027d3c0e: Verifying Checksum
1451027d3c0e: Download complete
4f4fb700ef54: Verifying Checksum
4f4fb700ef54: Download complete
afa154b433c7: Verifying Checksum
afa154b433c7: Download complete
3b7f19923e15: Verifying Checksum
3b7f19923e15: Download complete
a492eee5e559: Pull complete
32b550be6cb6: Pull complete
35af2a7690f2: Pull complete
3b7f19923e15: Pull complete
afa154b433c7: Pull complete
1451027d3c0e: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02
Status: Downloaded newer image for golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02
go: go.mod requires go >= 1.23.0 (running go 1.22.12; GOTOOLCHAIN=local)
make: *** [Makefile:23: __do_generate] Error 1
make[1]: *** [Makefile:14: generate] Error 2
make: *** [Makefile:394: crds] Error 2

@cilium-renovate cilium-renovate bot force-pushed the renovate/v1.2-go-golang.org-x-net-vulnerability branch from a10efa1 to cc189f3 Compare March 13, 2025 09:45
@cilium-renovate cilium-renovate bot force-pushed the renovate/v1.2-go-golang.org-x-net-vulnerability branch 2 times, most recently from fb9871a to 192fbdd Compare March 25, 2025 18:46
@cilium-renovate
chore(deps): update module golang.org/x/net to v0.36.0 [security]
2e970fd 
Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
@cilium-renovate cilium-renovate bot force-pushed the renovate/v1.2-go-golang.org-x-net-vulnerability branch from 192fbdd to 2e970fd Compare March 25, 2025 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olsajiri olsajiri

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants