Updated golang packages fix security vulnerability
Publication date: 16 May 2023Modification date: 16 May 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-24539 , CVE-2023-24540 , CVE-2023-29400
Description
Angle brackets (<>) were not considered dangerous characters when inserted
into CSS contexts. Templates containing multiple actions separated by a
'/' character could result in unexpectedly closing the CSS context and
allowing for injection of unexpected HMTL, if executed with untrusted
input. (CVE-2023-24539)
Not all valid JavaScript whitespace characters were considered to be
whitespace. Templates containing whitespace characters outside of the
character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that
also contain actions may not be properly sanitized during execution.
(CVE-2023-24540)
Templates containing actions in unquoted HTML attributes (e.g.
"attr={{.}}") executed with empty input could result in output that would
have unexpected results when parsed due to HTML normalization rules. This
may allow injection of arbitrary attributes into tags. (CVE-2023-29400)
References
- https://bugs.mageia.org/show_bug.cgi?id=31886
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://lists.suse.com/pipermail/sle-security-updates/2023-May/014738.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24539
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24540
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29400
SRPMS
8/core
- golang-1.19.9-1.mga8