[security] Vulnerabilities in golang.org/x/net/html and golang.org/x/image/tiff
878 views
Skip to first unread message
Damien Neil
unread,
Aug 1, 2023, 6:38:14 PM8/1/23
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to golang-...@googlegroups.com
Hello gophers,
Version v0.13.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which caused a mismatch between parsing and rendering.
Text nodes not in the HTML namespace were being incorrectly literally rendered, causing text which should've been escaped to not be. This could lead to an XSS attack.
Thanks to Mohammad Thoriq Aziz for reporting this issue. This is CVE-2023-3978 and Go issue https://go.dev/issues/61615.
Version v0.10.0 of golang.org/x/image fixes two vulnerabilities in the golang.org/x/image/tiff package which can cause excessive CPU or memory consumption when parsing images.