{"schema_version":"1.7.2","id":"OESA-2023-1294","modified":"2023-05-26T11:05:17Z","published":"2023-05-26T11:05:17Z","upstream":["CVE-2023-29400","CVE-2023-24539","CVE-2023-24540"],"summary":"golang security update","details":"The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nTemplates containing actions in unquoted HTML attributes (e.g. \u0026quot;attr={{.}}\u0026quot;) executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.(CVE-2023-29400)\r\n\r\nAngle brackets (\u0026lt;\u0026gt;) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a \u0026apos;/\u0026apos; character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.(CVE-2023-24539)\r\n\r\nNot all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \u0026quot;\\t\\n\\f\\r\\u0020\\u2028\\u2029\u0026quot; in JavaScript contexts that also contain actions may not be properly sanitized during execution.(CVE-2023-24540)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"golang","purl":"pkg:rpm/openEuler/golang\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.15.7-27.oe1"}]}],"ecosystem_specific":{"aarch64":["golang-1.15.7-27.oe1.aarch64.rpm"],"noarch":["golang-devel-1.15.7-27.oe1.noarch.rpm","golang-help-1.15.7-27.oe1.noarch.rpm"],"src":["golang-1.15.7-27.oe1.src.rpm"],"x86_64":["golang-1.15.7-27.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"golang","purl":"pkg:rpm/openEuler/golang\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.15.7-27.oe1"}]}],"ecosystem_specific":{"aarch64":["golang-1.15.7-27.oe1.aarch64.rpm"],"noarch":["golang-help-1.15.7-27.oe1.noarch.rpm","golang-devel-1.15.7-27.oe1.noarch.rpm"],"src":["golang-1.15.7-27.oe1.src.rpm"],"x86_64":["golang-1.15.7-27.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS","name":"golang","purl":"pkg:rpm/openEuler/golang\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.17.3-18.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["golang-1.17.3-18.oe2203.aarch64.rpm","golang-1.17.3-18.oe2203sp1.aarch64.rpm"],"noarch":["golang-help-1.17.3-18.oe2203.noarch.rpm","golang-devel-1.17.3-18.oe2203.noarch.rpm","golang-devel-1.17.3-18.oe2203sp1.noarch.rpm","golang-help-1.17.3-18.oe2203sp1.noarch.rpm"],"src":["golang-1.17.3-18.oe2203.src.rpm","golang-1.17.3-18.oe2203sp1.src.rpm"],"x86_64":["golang-1.17.3-18.oe2203.x86_64.rpm","golang-1.17.3-18.oe2203sp1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"golang","purl":"pkg:rpm/openEuler/golang\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.17.3-18.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["golang-1.17.3-18.oe2203sp1.aarch64.rpm"],"noarch":["golang-devel-1.17.3-18.oe2203sp1.noarch.rpm","golang-help-1.17.3-18.oe2203sp1.noarch.rpm"],"src":["golang-1.17.3-18.oe2203sp1.src.rpm"],"x86_64":["golang-1.17.3-18.oe2203sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1294"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29400"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24539"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24540"}],"database_specific":{"severity":"High"}}