Source: golang-x-text Version: 0.3.2-1 Severity: grave Tags: security upstream Forwarded: https://github.com/golang/go/issues/39491 Control: clone -1 -2 Control: reassign -2 src:golang-golang-x-text 0.3.2-4 Control: retitle -2 golang-golang-x-text: CVE-2020-14040
Hi, The following vulnerability was published for golang-x-text and golang-golang-x-text. CVE-2020-14040[0]: | Go version v0.3.3 of the x/text package fixes a vulnerability in | encoding/unicode that could lead to the UTF-16 decoder entering an | infinite loop, causing the program to crash or run out of memory. An | attacker could provide a single byte to a UTF16 decoder instantiated | with UseBOM or ExpectBOM to trigger an infinite loop if the String | function on the Decoder is called, or the Decoder is passed to | golang.org/x/text/transform.String. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-14040 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040 [1] https://github.com/golang/go/issues/39491 [2] https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e [3] https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore