The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit.
Created heketi tracking bugs for this issue:
Affects: epel-6 [bug 1633045]
Affects: fedora-all [bug 1633044]
Created kompose tracking bugs for this issue:
Affects: fedora-all [bug 1633043]
Created origin tracking bugs for this issue:
Affects: fedora-all [bug 1633042]
Created golang-googlecode-net tracking bugs for this issue:
Affects: epel-6 [bug 1639107]
Affects: fedora-all [bug 1639106]
RHEL7 (source from roughly 2014) not affected by reproducer. Most likely occurred when the template changes were merged in 2017. (guessing https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622)
Source analysis doesn't hint that this may be affected either, missing template etc.
OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools 9 golang-googlecode-net does not have the flawed code (already fixed).
Kompose was in DevTools as part of devsuite. Devsuite is now retired (https://developers.redhat.com/products/devsuite/overview/)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):