Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2023-24539 [1.20 backport] #59812

Closed
gopherbot opened this issue Apr 24, 2023 · 2 comments
Closed

security: fix CVE-2023-24539 [1.20 backport] #59812

gopherbot opened this issue Apr 24, 2023 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.20.4

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #59720 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues for this security fix
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Apr 24, 2023
@gopherbot gopherbot mentioned this issue Apr 24, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.4 milestone Apr 24, 2023
@neild neild added Security release-blocker CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Apr 24, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/491336 mentions this issue: [release-branch.go1.20] html/template: disallow angle brackets in CSS values

@gopherbot
Copy link
Contributor Author

Closed by merging 090590f to release-branch.go1.20.

gopherbot pushed a commit that referenced this issue May 2, 2023
@rolandshoemaker @cagedmantis
[release-branch.go1.20] html/template: disallow angle brackets in CSS…
090590f 
… values

Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For #59720
Fixes #59812
Fixes CVE-2023-24539

Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491336
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
bradfitz pushed a commit to tailscale/go that referenced this issue May 25, 2023
@rolandshoemaker @bradfitz
[release-branch.go1.20] html/template: disallow angle brackets in CSS…
10da5ba 
… values

Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For golang#59720
Fixes golang#59812
Fixes CVE-2023-24539

Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491336
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
bradfitz pushed a commit to tailscale/go that referenced this issue May 25, 2023
@rolandshoemaker @bradfitz
[release-branch.go1.20] html/template: disallow angle brackets in CSS…
23f4b2a 
… values

Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For golang#59720
Fixes golang#59812
Fixes CVE-2023-24539

Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491336
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@golang golang locked and limited conversation to collaborators May 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.20.4
Development

No branches or pull requests
2 participants
@neild @gopherbot