Bugzilla – Bug 1215085
VUL-0: CVE-2023-39319: go1.20,go1.21: html/template: improper handling of special tags within script contexts
Last modified: 2024-07-10 13:28:03 UTC
The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.
This is an autogenerated message for OBS integration: This bug (1215085) was mentioned in https://build.opensuse.org/request/show/1109621 Factory / go1.20
Is go1.19 vulnerable to CVE-2023-393(18-19)? I've a L3 ticket for it where the customer is asking for PTF with fix these two cve's for g1.19
Please ignore comment #3. I see them flagged unsupported.
SUSE-SU-2023:3701-1: An update that solves five vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1215084, 1215085, 1215086, 1215087, 1215090 CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322 Sources used: Development Tools Module 15-SP5 (src): go1.21-1.21.1-150000.1.6.1 openSUSE Leap 15.4 (src): go1.21-1.21.1-150000.1.6.1 openSUSE Leap 15.5 (src): go1.21-1.21.1-150000.1.6.1 Development Tools Module 15-SP4 (src): go1.21-1.21.1-150000.1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3700-1: An update that solves two vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1206346, 1215084, 1215085, 1215090 CVE References: CVE-2023-39318, CVE-2023-39319 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.8-150000.1.23.1 openSUSE Leap 15.5 (src): go1.20-1.20.8-150000.1.23.1 Development Tools Module 15-SP4 (src): go1.20-1.20.8-150000.1.23.1 Development Tools Module 15-SP5 (src): go1.20-1.20.8-150000.1.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3840-1: An update that solves three vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1206346, 1213880, 1215084, 1215085, 1215090 CVE References: CVE-2023-29409, CVE-2023-39318, CVE-2023-39319 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.8.1-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1215085) was mentioned in https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109 CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): go-1.21-41.1, go1.21-1.21.3-2.1
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed. Category: security (moderate) Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Jira References: SLE-18320 Sources used: openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.