Date: Tue, 1 Sep 2020 19:28:26 +0000 (UTC) From: Dmitri Goutnik <dmgk@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r547291 - head/security/vuxml Message-ID: <202009011928.081JSQZt049240@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dmgk Date: Tue Sep 1 19:28:26 2020 New Revision: 547291 URL: https://svnweb.freebsd.org/changeset/ports/547291 Log: security/vuxml: Document lang/go vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 1 19:24:29 2020 (r547290) +++ head/security/vuxml/vuln.xml Tue Sep 1 19:28:26 2020 (r547291) @@ -58,6 +58,44 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="67b050ae-ec82-11ea-9071-10c37b4ac2ea"> + <topic>go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified</topic> + <affects> + <package> + <name>go</name> + <range><lt>1.14.8,1</lt></range> + <range><ge>1.15,1</ge><lt>1.15.1,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Go project reports:</p> + <blockquote cite="https://github.com/golang/go/issues/40928"> + <p>When a Handler does not explicitly set the Content-Type header, both + CGI implementations default to “text/html”. If an attacker can make + a server generate content under their control (e.g. a JSON + containing user data or an uploaded image file) this might be + mistakenly returned by the server as “text/html”. If a victim visits + such a page they could get the attacker's code executed in the + context of the server origin. If an attacker can make a server + generate content under their control (e.g. a JSON containing user + data or an uploaded image file) this might be mistakenly returned by + the server as “text/html”. If a victim visits such a page they could + get the attacker's code executed in the context of the server + origin.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-24553</cvename> + <url>https://github.com/golang/go/issues/40928</url> + </references> + <dates> + <discovery>2020-08-20</discovery> + <entry>2020-09-01</entry> + </dates> + </vuln> + <vuln vid="38fdf07b-e8ec-11ea-8bbe-e0d55e2a8bf9"> <topic>ark -- extraction outside of extraction directory</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009011928.081JSQZt049240>