Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Summary The ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms,...

GHSA-XRHX-7G5J-RCJ5 Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Summary The ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms,...

Security update for apptainer

This update for apptainer fixes the following issues: Security fixes: CVE-2024-45310: Fixed runc being tricked into creating empty files/directories on host bsc1257432 CVE-2025-65105: Fixed security bypass due to disabling security options bsc1255462 CVE-2025-47914: Fixed malformed constraint may...

EUVD-2022-6242

Malicious code in bioql PyPI...

Security update for ignition

This update for ignition fixes the following issues: CVE-2025-22870: golang.org/x/net/http/httpproxy: Fixed proxy bypass using IPv6 zone IDs bsc1238681 CVE-2025-22868: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing bsc1239192 Patch Instructions: To install this...

SUSE-SU-2025:20515-1 Security update for ignition

This update for ignition fixes the following issues: - CVE-2025-22870: golang.org/x/net/http/httpproxy: Fixed proxy bypass using IPv6 zone IDs bsc1238681 - CVE-2025-22868: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing bsc1239192...

Exploit for CVE-2025-22870

CVE-2025-22870 – Proxy Bypass via IPv6 Zone Parsing in Go 🔐...

USN-7574-1 golang-1.22 vulnerabilities

Kyle Seely discovered that the Go net/http module did not properly handle sensitive headers during repeated redirects. An attacker could possibly use this issue to obtain sensitive information. CVE-2024-45336 Juho Forsén discovered that the Go crypto/x509 module incorrectly handled IPv6 addresses...

golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints

A flaw was found in the crypto/x509 package of the Golang standard library. A certificate with a URI, which has a IPv6 address with a zone ID, may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI; this...

golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints

A flaw was found in the crypto/x509 package of the Golang standard library. A certificate with a URI, which has a IPv6 address with a zone ID, may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI; this...

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

...

Medium: golang

Issue Overview: net/http: sensitive headers incorrectly sent after cross-domain redirect The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to...

Security update for amazon-ssm-agent

This update for amazon-ssm-agent fixes the following issues: CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs bsc1238702 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509

...

Google Go 安全漏洞

Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google USA. A security vulnerability exists in Google Go that stems from the possibility that URI certificates with IPv6 addresses with zone IDs may incorrectly satisfy the URI name...

OESA-2024-1398 rubygem-tzinfo security update

TZInfo provides daylight savings aware transformations between times in different time zones. Security Fixes: TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when use...

rubygem-tzinfo: arbitrary code execution

A flaw was found in rubygem-tzinfo. When using the Timezone.get function, it fails to validate time zone identifiers correctly, allowing a new line character input within the identifier. This flaw allows an attacker to use the new line character and write any code, which will be executed within t...

rubygem-tzinfo: arbitrary code execution

A flaw was found in rubygem-tzinfo. When using the Timezone.get function, it fails to validate time zone identifiers correctly, allowing a new line character input within the identifier. This flaw allows an attacker to use the new line character and write any code, which will be executed within t...

DEBIAN-CVE-2022-31163

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source,...

PT-2022-20578 · Tzinfo +3 · Tzinfo +3

Name of the Vulnerable Software and Affected Versions: TZInfo versions prior to 0.3.61 TZInfo versions 1.0.0 to 1.2.9 when used with the Ruby data source TZInfo version 0.3.60 and earlier Description: The issue is related to relative path traversal in the TZInfo Ruby library, which provides acces...