Rolandshoemaker

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.23.6 Go versions prior to 1.22.12 **Description** The issue concerns a security fix in the crypto/elliptic module. Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. However, it is believed that this leakage is not enough to allow recovery of the private key when P-256 is used in any well-known protocols. **Recommendations** For Go versions prior to 1.23.6, update to version 1.23.6 to resolve the issue. For Go versions prior to 1.22.12, update to version 1.22.12 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.23.1 and 1.22.1 **Description** The issue is related to the Parse function in the Go programming language, which can cause a panic due to stack exhaustion when dealing with deeply nested literals in Go source code. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Go versions prior to 1.23.1, update to version 1.23.1 or later. For Go versions prior to 1.22.1, update to version 1.22.1 or later.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.23.1 Go versions prior to 1.22.7 **Description** The issue is related to the Parse function in the Go programming language, which can cause a panic due to stack exhaustion when dealing with deeply nested expressions in a "// +build" build tag line. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Go versions prior to 1.23.1, update to version 1.23.1 or later. For Go versions prior to 1.22.7, update to version 1.22.7 or later.

**Name of the Vulnerable Software and Affected Versions** net/html library (affected versions not specified) **Description** The issue arises from text nodes not in the HTML namespace being incorrectly literally rendered, causing text that should be escaped to not be. This could lead to an XSS attack. The vulnerability exists due to a lack of protection for the web page structure, potentially allowing a remote attacker to conduct cross-site scripting attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.21.2 Go versions prior to 1.20.9 **Description** The issue is related to the "//line" directive in the Go programming language, which can be exploited to bypass restrictions on "//go:cgo " directives. This allows blocked linker and compiler flags to be passed during compilation, potentially resulting in the unexpected execution of arbitrary code when running "go build". The exploitation of this issue is complex due to the requirement for the absolute path of the file in which the directive lives. **Recommendations** For Go versions prior to 1.21.2, update to version 1.21.2 or later to resolve the issue. For Go versions prior to 1.20.9, update to version 1.20.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the "//line" directive until a patch is available.