When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. https://github.com/golang/go/issues/65065
Created golang tracking bugs for this issue: Affects: epel-all [bug 2268243] Affects: fedora-all [bug 2268242]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2724 https://access.redhat.com/errata/RHSA-2024:2724