Bugzilla – Bug 1211030
VUL-0: CVE-2023-24540: go1.19,go1.20: html/template: improper handling of JavaScript whitespace
Last modified: 2024-03-27 14:41:12 UTC
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
Thanks for the report Jeff. html/template package is delivered by Go and cannot be vendored and embedded in any other packages. Rebuilding packages with a fixed version of go1.X is enough for us
SUSE-SU-2023:2105-1: An update that solves seven vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.4-150000.1.11.1 Development Tools Module 15-SP4 (src): go1.20-1.20.4-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2127-1: An update that solves seven vulnerabilities, contains one feature and has four fixes can now be installed. Category: security (important) Bug References: 1200441, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031, 1211073 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Jira References: PED-1962 Sources used: openSUSE Leap 15.4 (src): go1.19-1.19.9-150000.1.31.1 Development Tools Module 15-SP4 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.9-150000.1.31.1 SUSE Enterprise Storage 7.1 (src): go1.19-1.19.9-150000.1.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2105-2: An update that solves seven vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1206346, 1210127, 1210128, 1210129, 1210130, 1210938, 1210963, 1211029, 1211030, 1211031 CVE References: CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Sources used: SUSE Linux Enterprise Real Time 15 SP3 (src): go1.20-1.20.4-150000.1.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done