24 matches found
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
Security Bulletin: Improper Hostname Normalization in Axios Enables NO_PROXY Bypass and SSRF Attacks
Summary Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching an...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
CLSA-2026-1776954912 osbuild-composer: Fix of CVE-2026-25679
rebuild with newer golang 1.25.7-1.el96.tuxcare.els2 to fix CVE-2026-25679 net/url: reject IPv6 literal not at start of host...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
SUSE-SU-2026:21200-1 Security update for go1.25
This update for go1.25 fixes the following issues: Update to go1.25.8 bsc1244485: - CVE-2026-25679: net/url: reject IPv6 literal not at start of host bsc1259264. - CVE-2026-27139: os: FileInfo can escape from a Root bsc1259268. - CVE-2026-27142: html/template: URLs in meta content attribute actio...
Important: Red Hat Security Advisory: go-toolset:rhel8 security update
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...
EUVD-2025-209381
Axios has a NOPROXY Hostname Normalization Bypass Leads to SSRF...
SUSE SLES15 Security Update : go1.26-openssl (SUSE-SU-2026:0993-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0993-1 advisory. Update to go 1.26.1 bsc1255111, jscSLE-18320: - CVE-2026-25679: net/url: reject IPv6 literal not at start of host bsc1259264. -...
SUSE-SU-2026:0977-1 Security update for go1.25-openssl
This update for go1.25-openssl fixes the following issues: Update to go 1.25.8 bsc1244485, jscSLE-18320: - CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated...
Mozilla Firefox Security Advisory (MFSA2012-02) - Linux
This host is missing a security update for Mozilla Firefox. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...
curl: Incorrect IPv6 literal parsing leads to validated connection to unexpected https server.
Summary: The IPv6 ip address can be specified with square brackets like fe80::3. There can also be a zone id specified like fe80::3%15. A URL can specify its hostname with IPv6 literal, It seems that the parsing in curl library is not complete. For instance, it is possible for particular IPv6...
Mozilla Thunderbird 3.1.x Multiple Vulnerabilities
Binary data 801371.prm...
Mozilla Firefox 3.6.x < 3.6.26 Multiple Vulnerabilities
Binary data 6307.prm...
Mandriva Update for mozilla MDVSA-2012:013 (mozilla)
Check for the Version of mozilla OpenVAS Vulnerability Test Mandriva Update for mozilla MDVSA-2012:013 mozilla Authors: System Generated Check Copyright: Copyright c 2012 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it unde...