Name | CVE-2023-3978 |
Description | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1043163 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
golang-golang-x-net (PTS) | bullseye | 1:0.0+git20210119.5f4716e+dfsg-4 | vulnerable |
| bookworm | 1:0.7.0+dfsg-1 | vulnerable |
| sid, trixie | 1:0.27.0-1 | fixed |
golang-golang-x-net-dev (PTS) | stretch (security), stretch (lts), stretch | 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1 | vulnerable |
| buster | 1:0.0+git20181201.351d144+dfsg-3 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
[buster] - golang-golang-x-net-dev <postponed> (Limited support, follow bullseye DSAs/point-releases)
https://go.dev/cl/514896
https://go.dev/issue/61615
https://pkg.go.dev/vuln/GO-2023-1988
https://github.com/golang/net/commit/8ffa475fbdb33da97e8bf79cc5791ee8751fca5e (v0.13.0)