[security] Vulnerabilities in golang.org/x/net/html and golang.org/x/image/tiff

[Damien Neil]

Hello gophers,

Version v0.13.0 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which caused a mismatch between parsing and rendering.

Text nodes not in the HTML namespace were being incorrectly literally rendered, causing text which should've been escaped to not be. This could lead to an XSS attack.

Thanks to Mohammad Thoriq Aziz for reporting this issue. This is CVE-2023-3978 and Go issue https://go.dev/issues/61615.

Version v0.10.0 of golang.org/x/image fixes two vulnerabilities in the golang.org/x/image/tiff package which can cause excessive CPU or memory consumption when parsing images.

Thanks to Philippe Antoine (Catena cyber) for reporting these issues. These are CVE-2023-29407 and Go issue https://github.com/golang/go/issues/61581, and CVE-2023-29408 and Go issue https://github.com/golang/go/issues/61582.

- Damien, on behalf of the Go team.