fix(golang-github-hashicorp-go-retryablehttp): CVE-2024-6104

debian/changelog

@@ -1,3 +1,12 @@
+golang-github-hashicorp-go-retryablehttp (0.7.0-1deepin1) unstable; urgency=medium
+
+  * Fix CVE-2024-6104: URL basic auth credentials leak in logs.
+    - Add redactURL function to redact sensitive information from URLs
+      before logging, preventing exposure of HTTP basic auth credentials.
+    - Backport fix from upstream commit b2aee50.
+
+ -- hudeng <[email protected]>  Tue, 29 Apr 2026 12:40:00 +0800
+
 golang-github-hashicorp-go-retryablehttp (0.7.0-1) unstable; urgency=medium
 
   * Team upload.

debian/patches/CVE-2024-6104.patch

@@ -0,0 +1,69 @@
+diff --git a/client.go b/client.go
+index adbdd92..d24a3a0 100644
+--- a/client.go
++++ b/client.go
+@@ -546,9 +546,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	if logger != nil {
+ 		switch v := logger.(type) {
+ 		case LeveledLogger:
+-			v.Debug("performing request", "method", req.Method, "url", req.URL)
++			v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
+ 		case Logger:
+-			v.Printf("[DEBUG] %s %s", req.Method, req.URL)
++			v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
+ 		}
+ 	}
+
+@@ -599,9 +599,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 		if doErr != nil {
+ 			switch v := logger.(type) {
+ 			case LeveledLogger:
+-				v.Error("request failed", "error", doErr, "method", req.Method, "url", req.URL)
++				v.Error("request failed", "error", doErr, "method", req.Method, "url", redactURL(req.URL))
+ 			case Logger:
+-				v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, doErr)
++				v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), doErr)
+ 			}
+ 		} else {
+ 			// Call this here to maintain the behavior of logging all requests,
+@@ -636,7 +636,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 		}
+
+ 		wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
+-		desc := fmt.Sprintf("%s %s", req.Method, req.URL)
++		desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
+ 		if code > 0 {
+ 			desc = fmt.Sprintf("%s (status: %d)", desc, code)
+ 		}
+@@ -687,11 +687,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	// communicate why
+ 	if err == nil {
+ 		return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
+-			req.Method, req.URL, attempt)
++			req.Method, redactURL(req.URL), attempt)
+ 	}
+
+ 	return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
+-		req.Method, req.URL, attempt, err)
++		req.Method, redactURL(req.URL), attempt, err)
+ }
+
+ // Try to read the response body so we can reuse this connection.
+@@ -772,3 +772,17 @@ func (c *Client) StandardClient() *http.Client {
+ 		Transport: &RoundTripper{Client: c},
+ 	}
+ }
++
++// redactURL redacts sensitive information from URL for logging.
++// Taken from url.URL#Redacted() which was introduced in go 1.15.
++func redactURL(u *url.URL) string {
++	if u == nil {
++		return ""
++	}
++
++	ru := *u
++	if _, has := ru.User.Password(); has {
++		ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
++	}
++	return ru.String()
++}

debian/patches/series

@@ -0,0 +1 @@
+CVE-2024-6104.patch