Support Content Notification - Support Portal

Security update provided for multiple Go Open-source programming language

Product/Component

Brocade ASC-Gateway OVA

2 more products

Notification Id

37141

Last Updated

03 March 2026

Initial Publication Date

03 March 2026

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

Varies

WorkAround

Affected CVE

CVE-2025-228871, CVE-2025-228870, CVE-2025-228869

Brocade Security Advisory ID	BSA-2026-3351
Component	Go programming language

Summary

Security update provided for multiple Go Open-source programming language.

CVE-2025-22871

Affects: net/http/internal

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

BASE: 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2025-22870

Affects: golang.org/x/net

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

CWE-115: CWE-115 Misinterpretation of Input

SCORE: 4.4 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVE-2025-22869

Affects: golang.org/x/crypto

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

SCORE: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Products Affected

Brocade ASCG versions before 3.4.0

Products Not Affected

Brocade Fabric OS versions before 9.2.0
[VEX Justification: Component_not_present]
Brocade Fabric OS versions 9.2.0 through 9.2.1c3
[VEX Justification: Vulnerable_code_cannot_be_contolled_by_adversary]
Brocade Fabric OS versions after 9.2.1c3
[VEX Justification: Component_not_present]
Brocade SANnav
[VEX Justification: Vulnerable_code_not_in_execute_path]

Solution

Vulnerable code component removed from Brocade Fabric OS 9.2.2 and 10.0.0
Solution provided in Brocade ASCG 3.4.0

Revision History

Version	Change	Date
1.0	Initial Publication	March 3, 2026

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.