Bug 1223309 (CVE-2024-32875)

Summary: VUL-0: CVE-2024-32875: hugo: XSS injection from Markdown content files (release v0.125.3)
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Jeff Kowalczyk <jkowalczyk>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/402924/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2024-04-23 13:51:08 UTC 
v0.125.3

This release fixes a security issue reported by @ejona86 (see #12411) that could allow XSS injection from Markdown content files if one of the internal link or image render hook templates added in Hugo 0.123.0 are enabled. You typically control and trust the content files, but according to Hugo's security model, we state that "template and configuration authors (you) are trusted, but the data you send in is not."

 markup/goldmark: Fix data race in the hugocontext wrapper 509ab08 @bep
 tpl: Escape .Title in built-in image and link render hooks 15a4b9b @bep
 tpl/tplimpl: Improve embedded templates 10a8448 @jmooring #12396
 SECURITY.md: Update link to security model 722c486 @ejona86
 modules: Fix potential infinite loop in module collection f40f50e @bep #12407

References:
https://github.com/gohugoio/hugo/releases/tag/v0.125.3
Comment 1 Jeff Kowalczyk 2024-04-23 14:00:34 UTC 
Version containing fix has been submitted to Factory with a reference to this issue.
Comment 2 OBSbugzilla Bot 2024-04-23 14:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1223309) was mentioned in
https://build.opensuse.org/request/show/1169894 Factory / hugo
Comment 3 Marcus Rückert 2024-04-23 15:06:46 UTC 
dont forget backports sp6