SB2019030413 - Fedora 28 update for golang-googlecode-net

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019030413

SB2019030413 - Fedora 28 update for golang-googlecode-net

Published: March 4, 2019 Updated: April 24, 2025

Security Bulletin ID SB2019030413
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2018-17143)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.


2) Input validation error (CVE-ID: CVE-2018-17142)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.


3) Input validation error (CVE-ID: CVE-2018-17075)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit.


4) Infinite loop (CVE-ID: CVE-2018-17846)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.


5) Input validation error (CVE-ID: CVE-2018-17847)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.


6) Improper Validation of Array Index (CVE-ID: CVE-2018-17848)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.


Remediation

Install update from vendor's website.

References