{"id":"MGASA-2023-0169","summary":"Updated golang packages fix security vulnerability","details":"Angle brackets (\u003c\u003e) were not considered dangerous characters when inserted\ninto CSS contexts. Templates containing multiple actions separated by a\n'/' character could result in unexpectedly closing the CSS context and\nallowing for injection of unexpected HMTL, if executed with untrusted\ninput. (CVE-2023-24539)\nNot all valid JavaScript whitespace characters were considered to be\nwhitespace. Templates containing whitespace characters outside of the\ncharacter set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that\nalso contain actions may not be properly sanitized during execution.\n(CVE-2023-24540)\nTemplates containing actions in unquoted HTML attributes (e.g.\n\"attr={{.}}\") executed with empty input could result in output that would\nhave unexpected results when parsed due to HTML normalization rules. This\nmay allow injection of arbitrary attributes into tags. (CVE-2023-29400)\n","modified":"2026-03-25T17:45:14.857452Z","published":"2023-05-16T19:17:40Z","related":["CVE-2023-24539","CVE-2023-24540","CVE-2023-29400"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0169.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31886"},{"type":"REPORT","url":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"},{"type":"REPORT","url":"https://lists.suse.com/pipermail/sle-security-updates/2023-May/014738.html"}],"affected":[{"package":{"name":"golang","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/golang?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.19.9-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0169.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}