Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/xml:What is the fix plan for the CVE-2020-29510 vulnerability in go1.14? #43211

Closed
shgsky opened this issue Dec 16, 2020 · 2 comments
Closed

encoding/xml:What is the fix plan for the CVE-2020-29510 vulnerability in go1.14? #43211

shgsky opened this issue Dec 16, 2020 · 2 comments
Labels
FrozenDueToAge

Comments

@shgsky
Copy link

shgsky commented Dec 16, 2020
edited

What version of Go are you using (go version)?

$ go version
go1.14.12

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

What did you do?

What did you expect to see?

What is the fix plan for the CVE-2020-29510 vulnerability in go1.14?

What did you see instead?
@shgsky shgsky changed the title What is the fix plan for the CVE-2020-29510 vulnerability in go1.14? encoding/xml:What is the fix plan for the CVE-2020-29510 vulnerability in go1.14? Dec 16, 2020
@randall77
Copy link
Contributor

Related, #43168 . That's more about what we should do for 1.16. I think it would be a tall order to backport the solutions being talked about to 1.14, they seem pretty large and/or invasive.

@rsc
Copy link
Contributor

rsc commented Dec 16, 2020

The plan is not to backport anything to Go 1.14. (Otherwise we'd have done a security release already.)
We are willing to look into ways to make encoding/xml more helpful to clients generally, but security-critical uses of XML should be using their own code instead of admitting all of encoding/xml into their security perimeters.

If you are using one of the affected SAML libraries, the solution is to update to the latest version of that library. Because we didn't make any changes in Go 1.14 or Go 1.15, the update should work regardless of which Go version you are using.

@rsc rsc closed this as completed Dec 16, 2020
@golang golang locked and limited conversation to collaborators Dec 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rsc @randall77 @gopherbot @shgsky