Bugzilla – Bug 1211029
VUL-0: CVE-2023-24539: go1.19,go1.20: html/template: improper sanitization of CSS values
Last modified: 2024-03-27 14:41:09 UTC
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
Thanks for the report Jeff. html/template package is delivered by Go and cannot be vendored and embedded in any other packages. Rebuilding packages with a fixed version of go1.X is enough for us
SUSE-SU-2023:2105-1: An update that solves seven vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.4-150000.1.11.1 Development Tools Module 15-SP4 (src): go1.20-1.20.4-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2127-1: An update that solves seven vulnerabilities, contains one feature and has four fixes can now be installed. Category: security (important) Bug References: 1200441, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031, 1211073 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Jira References: PED-1962 Sources used: openSUSE Leap 15.4 (src): go1.19-1.19.9-150000.1.31.1 Development Tools Module 15-SP4 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Enterprise Storage 7.1 (src): go1.19-1.19.9-150000.1.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2105-2: An update that solves seven vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Sources used: SUSE Linux Enterprise Real Time 15 SP3 (src): go1.20-1.20.4-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done