The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit. Upstream Issue: https://github.com/golang/go/issues/27016 https://bugs.chromium.org/p/chromium/issues/detail?id=829668 Upstream Patch: https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50
Created heketi tracking bugs for this issue: Affects: epel-6 [bug 1633045] Affects: fedora-all [bug 1633044] Created kompose tracking bugs for this issue: Affects: fedora-all [bug 1633043] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1633042]
Created golang-googlecode-net tracking bugs for this issue: Affects: epel-6 [bug 1639107] Affects: fedora-all [bug 1639106]
RHEL7 (source from roughly 2014) not affected by reproducer. Most likely occurred when the template changes were merged in 2017. (guessing https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622) Source analysis doesn't hint that this may be affected either, missing template etc.
OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools 9 golang-googlecode-net does not have the flawed code (already fixed).
Kompose was in DevTools as part of devsuite. Devsuite is now retired (https://developers.redhat.com/products/devsuite/overview/)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17075