CVE-2023-29400

Name	CVE-2023-29400
Description	Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-1.11 (PTS)	buster	1.11.6-1+deb10u4	vulnerable
	buster (security)	1.11.6-1+deb10u7	vulnerable
golang-1.15 (PTS)	bullseye	1.15.15-1~deb11u4	vulnerable
golang-1.19 (PTS)	bookworm	1.19.8-2	vulnerable
golang-1.20 (PTS)	sid, trixie	1.20.11-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
golang-1.11	source	(unstable)	(unfixed)
golang-1.15	source	(unstable)	(unfixed)
golang-1.19	source	experimental	1.19.9-1
golang-1.19	source	(unstable)	1.19.10-2
golang-1.20	source	(unstable)	1.20.4-1

Notes

[bookworm] - golang-1.19 <no-dsa> (Minor issue)
[bullseye] - golang-1.19 <no-dsa> (Minor issue)
[bullseye] - golang-1.15 <no-dsa> (Minor issue)
[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
https://github.com/golang/go/issues/59722
https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 (go1.19.9)
https://github.com/golang/go/commit/337dd75343145b74ed2073d793322eb4103b56ad (go1.20.4)