search

docker / docker-credential-helpers

Programs to keep Docker login credentials safe by storing in platform keystores
MIT License
1.05k stars 166 forks source link

update go to go1.20.4 #281

Closed thaJeztah closed 1 year ago

thaJeztah commented 1 year ago

go1.20.4 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle, crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.20.4 full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4

from the announcement:

These minor releases include 3 security fixes following the security policy:

  • html/template: improper sanitization of CSS values

    Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

  • html/template: improper handling of JavaScript whitespace

    Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

  • html/template: improper handling of empty HTML attributes

    Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

codecov-commenter commented 1 year ago

Codecov Report

Patch and project coverage have no change.

Comparison is base (f09e79d) 55.23% compared to head (fa89a70) 55.23%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #281 +/- ## ======================================= Coverage 55.23% 55.23% ======================================= Files 9 9 Lines 668 668 ======================================= Hits 369 369 Misses 256 256 Partials 43 43 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.