---
- branch: MAIN
  date: Wed May  3 19:24:54 UTC 2023
  files:
  - new: '1.178'
    old: '1.177'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.178
    type: modified
  - new: '1.9'
    old: '1.8'
    path: pkgsrc/lang/go119/PLIST
    pathrev: pkgsrc/lang/go119/PLIST@1.9
    type: modified
  - new: '1.11'
    old: '1.10'
    path: pkgsrc/lang/go119/distinfo
    pathrev: pkgsrc/lang/go119/distinfo@1.11
    type: modified
  id: 20230503T192454Z.2b0e1c2209084755d9a5a5d7185b17fefeecb7bf
  log: |
    go119: update to 1.19.9 (security)

    This minor release includes 3 security fixes following the security policy:

    * html/template: improper sanitization of CSS values

      Angle brackets (<>) were not considered dangerous characters when inserted
      into CSS contexts. Templates containing multiple actions separated by a '/'
      character could result in unexpectedly closing the CSS context and allowing
      for injection of unexpected HMTL, if executed with untrusted input.

      Thanks to Juho Nurminen of Mattermost for reporting this issue.

      This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

    * html/template: improper handling of JavaScript whitespace

      Not all valid JavaScript whitespace characters were considered to be
      whitespace. Templates containing whitespace characters outside of the
      character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also
      contain actions may not be properly sanitized during execution.

      Thanks to Juho Nurminen of Mattermost for reporting this issue.

      This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

    * html/template: improper handling of empty HTML attributes

      Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
      executed with empty input could result in output that would have unexpected
      results when parsed due to HTML normalization rules. This may allow injection
      of arbitrary attributes into tags.

      Thanks to Juho Nurminen of Mattermost for reporting this issue.

      This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1683141894'
  user: bsiegert