x/net: bump x/text to v0.3.5 to fix CVE-2020-28852 #43983

sfowl · 2021-01-29T07:47:26Z

On master:

$ grep text golang.org/x/net/go.mod 
	golang.org/x/text v0.3.3

I don't believe the vulnerable functions from x/text/language are used in x/net, though this will be helpful for consumers of x/net that may be erroneously flagged by scanners as missing the fix for this CVE.

#42536 (comment)

The text was updated successfully, but these errors were encountered:

bcmills · 2021-01-29T21:26:47Z

CC @golang/release

toothrot · 2021-01-29T21:43:03Z

also /cc @bradfitz @ianlancetaylor

gopherbot · 2021-04-09T10:17:52Z

Change https://golang.org/cl/308869 mentions this issue: go.mod: bump golang.org/x/text to v0.3.6

Fixes golang/go#43983 Change-Id: I518aacabf11bdbc4013dcf46ef5bf1c10fa5720c Reviewed-on: https://go-review.googlesource.com/c/net/+/308869 Trust: Tobias Klauser <tobias.klauser@gmail.com> Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>

gopherbot added this to the Unreleased milestone Jan 29, 2021

toothrot added the NeedsFix The path to resolution is known, but the work has not been done. label Jan 29, 2021

gopherbot closed this as completed in golang/net@afb366f Apr 10, 2021

golang locked and limited conversation to collaborators Apr 10, 2022

gopherbot added the FrozenDueToAge label Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/net: bump x/text to v0.3.5 to fix CVE-2020-28852 #43983

x/net: bump x/text to v0.3.5 to fix CVE-2020-28852 #43983

sfowl commented Jan 29, 2021

bcmills commented Jan 29, 2021

toothrot commented Jan 29, 2021

gopherbot commented Apr 9, 2021

x/net: bump x/text to v0.3.5 to fix CVE-2020-28852 #43983

x/net: bump x/text to v0.3.5 to fix CVE-2020-28852 #43983

Comments

sfowl commented Jan 29, 2021

bcmills commented Jan 29, 2021

toothrot commented Jan 29, 2021

gopherbot commented Apr 9, 2021