update: Go, golang.org/x/net

Name: Go, golang.org/x/net
CVEs: CVE-2025-22870
CVSSs: 4.4
Action Needed: update to Go >= 1.24.1/1.23.7, golang.org/x/net >= 0.36.0

Summary:

Go: net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.
- https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI< 6D55 /a>

golang.org/x/net: Version v0.36.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/proxy and golang.org/x/net/http/httpproxy packages which could cause the proxy to be bypassed. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.
- https://groups.google.com/g/golang-announce/c/_nL0Tkk0TyM.
- Affected repos:
  - mantle: build(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 mantle#587
  - nebraska: build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 in /backend nebraska#970

refmap.gentoo: TBD

Provide feedback