CentOS 8 : go-toolset:rhel8 (CESA-2021:3076)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:3076 advisory. - golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader CVE-2021-27918 - golang: net/http: panic in ReadRequest...

golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader

An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with xml.NewTokenDecoder it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with EOF within it,...

EulerOS 2.0 SP5 : golang (EulerOS-SA-2021-2217)

According to the version of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the...

EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2061)

According to the version of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2021-2050)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2021-1980)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP8 : golang (EulerOS-SA-2021-1980)

According to the version of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the...

GHSA-4HQ8-GMXX-H6W9 XML Processing error in github.com/crewjam/saml

Impact There are three vulnerabilities in the go encoding/xml package that can allow an attacker to forge part of a signed XML document. For details on this vulnerability see xml-roundtrip-validator Patches In version 0.4.3, all XML input is validated prior to being parsed...

XML Processing error in github.com/crewjam/saml

Impact There are three vulnerabilities in the go encoding/xml package that can allow an attacker to forge part of a signed XML document. For details on this vulnerability see xml-roundtrip-validator Patches In version 0.4.3, all XML input is validated prior to being parsed...

Oracle Linux 8 : olcne (ELSA-2021-9267)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-9267 advisory. - Address CVE-2021-27918 coredns - Fix for CVE-2021-27918 - Address CVE-2021-27918 etcd - Address CVE-2021-27918 flannel - Address CVE-2021-27918 - Address...

Oracle Linux 7 : olcne (ELSA-2021-9268)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-9268 advisory. - Fix for CVE-2021-27918 - Address CVE-2021-27918 etcd - Address CVE-2021-27918 flannel - Address CVE-2021-27918 yq - Address CVE-2021-27918 conmon - Address...

OESA-2021-1184 golang security update

Security Fixes: encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.CVE-2021-27918...

GO-2020-0050 XML digital signature validation bypass in github.com/russellhaering/goxmldsig

Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed...

EulerOS 2.0 SP5 : golang (EulerOS-SA-2021-1678)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.CVE-2020-28366 - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument...

CVE-2021-27918

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method...

FreeBSD : go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open (72709326-81f7-11eb-950a-00155d646401)

The Go project reports : The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. The Reader.Open API, new in Go 1.16, will panic...

CVE-2021-27918

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method...

EulerOS Virtualization 3.0.6.6 : golang (EulerOS-SA-2021-1480)

According to the versions of the golang packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. CVE-2020-28366 - Go before 1.14.12 and 1.15.x before 1.15.5...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2021-1480)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-1006)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The encoding/xml package in Go all versions does not correctly preserve the semantics of attribute namespace prefixes during tokenization...