[AUTO-CHERRYPICK] [Medium] Patch vitess for CVE-2025-22870 - branch main (#13132)

CBL-Mariner-Bot · v-smalavathu · web-flow · commit eb0be700c8b9 · 2025-03-27T13:17:40.000-04:00
Co-authored-by: Sreenivasulu Malavathula (HCL Technologies Ltd) &lt;v-smalavathu@microsoft.com&gt;
diff --git a/SPECS/vitess/CVE-2025-22870.patch b/SPECS/vitess/CVE-2025-22870.patch
@@ -0,0 +1,47 @@
+From 78795fb465acee058a91bc6cfaee88563df39eb0 Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
+Date: Wed, 19 Mar 2025 17:57:00 -0500
+Subject: [PATCH] Address CVE-2025-22870
+
+---
+ vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index 6404aaf..d89c257 100644
+--- a/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -177,8 +178,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++	var ip net.IP
++	if err == nil {
++		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -360,6 +363,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.45.2
+
diff --git a/SPECS/vitess/vitess.spec b/SPECS/vitess/vitess.spec
@@ -3,7 +3,7 @@
 
 Name:           vitess
 Version:        17.0.7
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@@ -30,6 +30,7 @@ Patch0:         CVE-2024-45338.patch
 Patch1:         CVE-2024-45339.patch
 Patch2:         CVE-2025-22868.patch
 Patch3:         CVE-2024-53257.patch
+Patch4:         CVE-2025-22870.patch
 BuildRequires: golang
 
 %description
@@ -102,6 +103,9 @@ go test -v ./go/cmd/... \
 %{_bindir}/*
 
 %changelog
+* Thu Mar 20 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 17.0.7-7
+- Fix CVE-2024-51744 with an upstream patch
+
 * Thu Mar 06 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 17.0.7-6
 - Fix add patch for CVE-2024-53257
 
