@@ -38,7 +38,8 @@ SRC_URI += "\
file://CVE-2023-29405.patch \
file://CVE-2023-29402.patch \
file://CVE-2023-29400.patch \
- file://CVE-2023-29406.patch \
+ file://CVE-2023-29406-1.patch \
+ file://CVE-2023-29406-2.patch \
file://CVE-2023-24536_1.patch \
file://CVE-2023-24536_2.patch \
file://CVE-2023-24536_3.patch \
similarity index 100%
rename from meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
rename to meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch
new file mode 100644
@@ -0,0 +1,114 @@
+From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 19 Jul 2023 10:30:46 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
+ invalid Host headers
+
+Historically, the Transport has silently truncated invalid
+Host headers at the first '/' or ' ' character. CL 506996 changed
+this behavior to reject invalid Host headers entirely.
+Unfortunately, Docker appears to rely on the previous behavior.
+
+When sending a HTTP/1 request with an invalid Host, send an empty
+Host header. This is safer than truncation: If you care about the
+Host, then you should get the one you set; if you don't care,
+then an empty Host should be fine.
+
+Continue to fully validate Host headers sent to a proxy,
+since proxies generally can't productively forward requests
+without a Host.
+
+For #60374
+Fixes #61431
+Fixes #61825
+
+Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
+CVE: CVE-2023-29406
+Signed-off-by: Ming Liu <liu.ming50@gmail.com>
+---
+ src/net/http/request.go | 23 ++++++++++++++++++++++-
+ src/net/http/request_test.go | 17 ++++++++++++-----
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index 3100037386..91cb8a66b9 100644
+--- a/src/net/http/request.go
++++ b/src/net/http/request.go
+@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+ if err != nil {
+ return err
+ }
++ // Validate that the Host header is a valid header in general,
++ // but don't validate the host itself. This is sufficient to avoid
++ // header or request smuggling via the Host field.
++ // The server can (and will, if it's a net/http server) reject
++ // the request if it doesn't consider the host valid.
+ if !httpguts.ValidHostHeader(host) {
+- return errors.New("http: invalid Host header")
++ // Historically, we would truncate the Host header after '/' or ' '.
++ // Some users have relied on this truncation to convert a network
++ // address such as Unix domain socket path into a valid, ignored
++ // Host header (see https://go.dev/issue/61431).
++ //
++ // We don't preserve the truncation, because sending an altered
++ // header field opens a smuggling vector. Instead, zero out the
++ // Host header entirely if it isn't valid. (An empty Host is valid;
++ // see RFC 9112 Section 3.2.)
++ //
++ // Return an error if we're sending to a proxy, since the proxy
++ // probably can't do anything useful with an empty Host header.
++ if !usingProxy {
++ host = ""
++ } else {
++ return errors.New("http: invalid Host header")
++ }
+ }
+
+ // According to RFC 6874, an HTTP client, proxy, or other
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index fddc85d6a9..dd1e2dc2a1 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
+ }
+ }
+
+-func TestRequestBadHost(t *testing.T) {
++func TestRequestBadHostHeader(t *testing.T) {
+ got := []string{}
+ req, err := NewRequest("GET", "http://foo/after", nil)
+ if err != nil {
+ t.Fatal(err)
+ }
+- req.Host = "foo.com with spaces"
+- req.URL.Host = "foo.com with spaces"
+- if err := req.Write(logWrites{t, &got}); err == nil {
+- t.Errorf("Writing request with invalid Host: succeded, want error")
++ req.Host = "foo.com\nnewline"
++ req.URL.Host = "foo.com\nnewline"
++ req.Write(logWrites{t, &got})
++ want := []string{
++ "GET /after HTTP/1.1\r\n",
++ "Host: \r\n",
++ "User-Agent: " + DefaultUserAgent + "\r\n",
++ "\r\n",
++ }
++ if !reflect.DeepEqual(got, want) {
++ t.Errorf("Writes = %q\n Want = %q", got, want)
+ }
+ }
+
+--
+2.34.1
+