SB2025080129 - Anolis OS update for go-toolset:an8 module

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2024-45336)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the HTTP client will send Authorization header to a third-party domain after a chain of redirects. A remote attacker can gain unauthorized access to credentials.

2) Input validation error (CVE-ID: CVE-2024-45341)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect handling of URI name constraint in certificate chains. A remote attacker can create a certificate with a URI, which has a IPv6 address with a zone ID, and bypass URI name checks.

The vulnerability affects users of private PKIs which make use of URIs.

3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-22871)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when handling chunked data in net/http. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

4) Information disclosure (CVE-ID: CVE-2025-4673)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to sensitive Proxy-Authorization and Proxy-Authenticate headers are not cleared on cross-origin redirect in net/http. A remote attacker can gain access to credentials passed via these headers.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2025:0489