From 8058225aa210ade415af530a5ad7bd6f08ae6864 Mon Sep 17 00:00:00 2001
From: sa-buc <zjl02254423@alibaba-inc.com>
Date: Thu, 20 Nov 2025 10:18:50 +0800
Subject: [PATCH] fix cve

---
 ...t-http-strip-sensitive-proxy-headers.patch | 66 ++++++++++++++++++
 ...t-http-strip-sensitive-proxy-headers.patch | 68 +++++++++++++++++++
 golang.spec                                   |  7 +-
 3 files changed, 140 insertions(+), 1 deletion(-)
 create mode 100644 0025-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
 create mode 100644 0050-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch

diff --git a/0025-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch b/0025-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
new file mode 100644
index 0000000..638a8a5
--- /dev/null
+++ b/0025-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
@@ -0,0 +1,66 @@
+From 709fda0a42b8ffde78136af52e02f260622926fa Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Wed, 21 May 2025 14:11:44 -0400
+Subject: [PATCH] net/http: strip sensitive proxy headers from redirect
+ requests
+ 
+Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.
+ 
+https://fetch.spec.whatwg.org/#authentication-entries
+ 
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
+ 
+Updates golang/go#73816
+Fixes golang/go#73905
+Fixes CVE-2025-4673
+ 
+Confict: no
+Reference:https://go-review.googlesource.com/c/go/+/679255
+ 
+Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0
+Reviewed-on: https://go-review.googlesource.com/c/go/+/679255
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Signed-off-by: jichao wu <wujichao1@huawei.com>
+---
+ src/net/http/client.go      | 3 ++-
+ src/net/http/client_test.go | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ 
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index 9231f63..a814cf3 100644
+--- a/src/net/http/client.go
++++ b/src/net/http/client.go
+@@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit
+ 		for k, vv := range ireqhdr {
+ 			sensitive := false
+ 			switch CanonicalHeaderKey(k) {
+-			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
++			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2",
++				"Proxy-Authorization", "Proxy-Authenticate":
+ 				sensitive = true
+ 			}
+ 			if !(sensitive && stripSensitiveHeaders) {
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 1ce9539..8ab4f58 100644
+--- a/src/net/http/client_test.go
++++ b/src/net/http/client_test.go
+@@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
+ 		if r.Host+r.URL.Path != "a.example.com/" {
+ 			if h := r.Header.Get("Authorization"); h != "" {
+ 				t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h)
++			} else if h := r.Header.Get("Proxy-Authorization"); h != "" {
++				t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h)
+ 			}
+ 		}
+ 		// Follow a chain of redirects from a to b and back to a.
+@@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
+ 	req, _ := NewRequest("GET", proto+"://a.example.com/", nil)
+ 	req.Header.Add("Cookie", "foo=bar")
+ 	req.Header.Add("Authorization", "secretpassword")
++	req.Header.Add("Proxy-Authorization", "secretpassword")
+ 	res, err := c.Do(req)
+ 	if err != nil {
+ 		t.Fatal(err)
+-- 
+2.33.0
diff --git a/0050-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch b/0050-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
new file mode 100644
index 0000000..6c046af
--- /dev/null
+++ b/0050-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
@@ -0,0 +1,68 @@
+From 709fda0a42b8ffde78136af52e02f260622926fa Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Wed, 21 May 2025 14:11:44 -0400
+Subject: [PATCH] net/http: strip sensitive proxy headers from redirect
+ requests
+
+Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.
+
+https://fetch.spec.whatwg.org/#authentication-entries
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
+
+Updates golang/go#73816
+Fixes golang/go#73905
+Fixes CVE-2025-4673
+
+Confict: no
+Reference:https://go-review.googlesource.com/c/go/+/679255
+
+Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0
+Reviewed-on: https://go-review.googlesource.com/c/go/+/679255
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Signed-off-by: jichao wu <wujichao1@huawei.com>
+---
+ src/net/http/client.go      | 3 ++-
+ src/net/http/client_test.go | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index 9231f63..a814cf3 100644
+--- a/src/net/http/client.go
++++ b/src/net/http/client.go
+@@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit
+ 		for k, vv := range ireqhdr {
+ 			sensitive := false
+ 			switch CanonicalHeaderKey(k) {
+-			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
++			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2",
++				"Proxy-Authorization", "Proxy-Authenticate":
+ 				sensitive = true
+ 			}
+ 			if !(sensitive && stripSensitiveHeaders) {
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 1ce9539..8ab4f58 100644
+--- a/src/net/http/client_test.go
++++ b/src/net/http/client_test.go
+@@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
+ 		if r.Host+r.URL.Path != "a.example.com/" {
+ 			if h := r.Header.Get("Authorization"); h != "" {
+ 				t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h)
++			} else if h := r.Header.Get("Proxy-Authorization"); h != "" {
++				t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h)
+ 			}
+ 		}
+ 		// Follow a chain of redirects from a to b and back to a.
+@@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
+ 	req, _ := NewRequest("GET", proto+"://a.example.com/", nil)
+ 	req.Header.Add("Cookie", "foo=bar")
+ 	req.Header.Add("Authorization", "secretpassword")
++	req.Header.Add("Proxy-Authorization", "secretpassword")
+ 	res, err := c.Do(req)
+ 	if err != nil {
+ 		t.Fatal(err)
+-- 
+2.33.0
+
+
diff --git a/golang.spec b/golang.spec
index 00a21b7..0794a55 100644
--- a/golang.spec
+++ b/golang.spec
@@ -1,4 +1,4 @@
-%define anolis_release 12
+%define anolis_release 13
 
 # Disable debuginfo packages
 %global debug_package %{nil}
@@ -136,6 +136,8 @@ Patch48:         0048-Fix-CVE-2025-22870.patch
 Patch49:         0049-Fix-CVE-2025-58189.patch
 # https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1
 Patch50:         1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch
+# https://github.com/golang/go/commit/85897ca220a149333a88b1e4d63f3b751f1141f5
+Patch51:         0050-Fix-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
 
 # The compiler is written in Go. Needs go(1.4+) compiler for build.
 %if %{with bootstrap}
@@ -613,6 +615,9 @@ fi
 %files docs -f go-docs.list
 
 %changelog
+* Thu Nov 20 2025 zhoujiajia111 <zjl02254423@alibaba-inc.com> - 1.24.0.13
+- Add patch to fix CVE-2025-4673
+
 * Mon Nov 17 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 1.24.0-12
 - Add patch to fix CVE-2025-58185 and CVE-2025-61723
 
-- 
Gitee