CVE-2023-3978

NameCVE-2023-3978
DescriptionText nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1043163

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-golang-x-net (PTS)bullseye1:0.0+git20210119.5f4716e+dfsg-4vulnerable
bookworm1:0.7.0+dfsg-1vulnerable
trixie1:0.23.0+dfsg-1fixed
sid1:0.24.0+dfsg-1fixed
golang-golang-x-net-dev (PTS)stretch (security), stretch (lts), stretch1:0.0+git20161013.8b4af36+dfsg-3+deb9u1vulnerable
buster1:0.0+git20181201.351d144+dfsg-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-golang-x-netsource(unstable)1:0.14.0-11043163
golang-golang-x-net-devsourcestretch(unfixed)end-of-life
golang-golang-x-net-devsource(unstable)(unfixed)

Notes

[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
[buster] - golang-golang-x-net-dev <postponed> (Limited support, follow bullseye DSAs/point-releases)
https://go.dev/cl/514896
https://go.dev/issue/61615
https://pkg.go.dev/vuln/GO-2023-1988
https://github.com/golang/net/commit/8ffa475fbdb33da97e8bf79cc5791ee8751fca5e (v0.13.0)
Search for package or bug name: Reporting problems