An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1294 Final 1.0 1.0 2023-05-26 Initial 2023-05-26 2023-05-26 openEuler SA Tool V1.0 2023-05-26 golang security update An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1. The Go Programming Language. Security Fix(es): Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.(CVE-2023-29400) Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.(CVE-2023-24539) Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.(CVE-2023-24540) An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High golang https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1294 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-29400 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-24539 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-24540 https://nvd.nist.gov/vuln/detail/CVE-2023-29400 https://nvd.nist.gov/vuln/detail/CVE-2023-24539 https://nvd.nist.gov/vuln/detail/CVE-2023-24540 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 golang-1.15.7-27.oe1.aarch64.rpm golang-1.15.7-27.oe1.aarch64.rpm golang-1.17.3-18.oe2203.aarch64.rpm golang-1.17.3-18.oe2203sp1.aarch64.rpm golang-devel-1.15.7-27.oe1.noarch.rpm golang-help-1.15.7-27.oe1.noarch.rpm golang-help-1.15.7-27.oe1.noarch.rpm golang-devel-1.15.7-27.oe1.noarch.rpm golang-help-1.17.3-18.oe2203.noarch.rpm golang-devel-1.17.3-18.oe2203.noarch.rpm golang-devel-1.17.3-18.oe2203sp1.noarch.rpm golang-help-1.17.3-18.oe2203sp1.noarch.rpm golang-1.15.7-27.oe1.src.rpm golang-1.15.7-27.oe1.src.rpm golang-1.17.3-18.oe2203.src.rpm golang-1.17.3-18.oe2203sp1.src.rpm golang-1.15.7-27.oe1.x86_64.rpm golang-1.15.7-27.oe1.x86_64.rpm golang-1.17.3-18.oe2203.x86_64.rpm golang-1.17.3-18.oe2203sp1.x86_64.rpm Templates containing actions in unquoted HTML attributes (e.g. attr={{.}} ) executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. 2023-05-26 CVE-2023-29400 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 High 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L golang security update 2023-05-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1294 Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a / character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. 2023-05-26 CVE-2023-24539 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 High 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L golang security update 2023-05-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1294 Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set t n f r u0020 u2028 u2029 in JavaScript contexts that also contain actions may not be properly sanitized during execution. 2023-05-26 CVE-2023-24540 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N golang security update 2023-05-26 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1294