1181051 – (CVE-2020-28851) VUL-0: CVE-2020-28851: go1.15,go1.14: go: Panic in language.ParseAcceptLanguage while parsing -u- extension

Bug 1181051 (CVE-2020-28851) - VUL-0: CVE-2020-28851: go1.15,go1.14: go: Panic in language.ParseAcceptLanguage while parsing -u- extension

Summary: VUL-0: CVE-2020-28851: go1.15,go1.14: go: Panic in language.ParseAcceptLangua...

Status:	RESOLVED FIXED

Alias:	CVE-2020-28851

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jeff Kowalczyk
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/274459/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-28851:5.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-01-18 10:19 UTC by Marcus Meissner
Modified:	2024-04-26 13:33 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2021-01-18 10:19:15 UTC

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. x/text/language is supposed to be able to parse an HTTP Accept-Language header.

Upstream issue:

https://github.com/golang/go/issues/42535

Comment 1 Alexander Bergmann 2021-05-12 11:32:00 UTC

It looks like this issue is not directly about go, but about golang-org-x-text.

@Jeff, please verify.

Comment 2 Marcus Meissner 2024-04-26 13:33:17 UTC

was done I think