Package: golang-golang-x-net / 1:0.0+git20210119.5f4716e+dfsg-4

Metadata

Package Version Patches format
golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
publicsuffix.patch | (download)

publicsuffix/gen.go | 17 6 + 11 - 0 !
1 file changed, 6 insertions(+), 11 deletions(-)

 avoid download on build time; use data from "publicsuffix" package.


CVE 2021 31525.patch | (download)

http/httpguts/httplex.go | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 [patch] http/httpguts: remove recursion in headervaluescontainstoken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Fixes golang/go#45710

CVE 2021 33194.patch | (download)

html/parse.go | 24 23 + 1 - 0 !
html/parse_test.go | 22 22 + 0 - 0 !
2 files changed, 45 insertions(+), 1 deletion(-)

 html: ignore templates nested within foreign content

Fixes #46288
Fixes CVE-2021-33194