Amazon Linux 2023 Security Advisory: ALAS-2023-367
Advisory Release Date: 2023-09-27 21:06 Pacific
Advisory Updated Date: 2023-10-03 20:50 Pacific
Severity:
Medium
Issue Overview:
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. (CVE-2023-39318)
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. (CVE-2023-39319)
Affected Packages:
golang
Issue Correction:
Run dnf update golang --releasever 2023.2.20231002 to update your system.
New Packages:
aarch64:
golang-1.20.8-1.amzn2023.0.1.aarch64
golang-bin-1.20.8-1.amzn2023.0.1.aarch64
golang-shared-1.20.8-1.amzn2023.0.1.aarch64
noarch:
golang-docs-1.20.8-1.amzn2023.0.1.noarch
golang-misc-1.20.8-1.amzn2023.0.1.noarch
golang-src-1.20.8-1.amzn2023.0.1.noarch
golang-tests-1.20.8-1.amzn2023.0.1.noarch
src:
golang-1.20.8-1.amzn2023.0.1.src
x86_64:
golang-bin-1.20.8-1.amzn2023.0.1.x86_64
golang-1.20.8-1.amzn2023.0.1.x86_64
golang-shared-1.20.8-1.amzn2023.0.1.x86_64