[security] Vulnerability in golang.org/x/net/html
141 views
Skip to first unread message
Filippo Valsorda
May 20, 2021, 1:21:20 PM5/20/21
to golang-nuts, golang-...@googlegroups.com, golang-dev
Hello gophers,
Version v0.0.0-20210520170846-37e1c6afe023 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.
An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return.
This issue was discovered by OSS-Fuzz and reported to us by Andrew Thornton <ar...@cantab.net>, and is tracked as CVE-2021-33194.
Cheers,
Filippo on behalf of the Go team
Version v0.0.0-20210520170846-37e1c6afe023 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service.
An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return.
This issue was discovered by OSS-Fuzz and reported to us by Andrew Thornton <ar...@cantab.net>, and is tracked as CVE-2021-33194.
Cheers,
Filippo on behalf of the Go team
ajstarks
May 20, 2021, 6:52:56 PM5/20/21
to golang-nuts
thanks for the update.
In future announcements it may be useful to include the command to perform the upgrade as in
Reply all
Reply to author
Forward
0 new messages