Hello gophers, Version v0.3.8 of golang.org/x/text fixes a vulnerability in the golang.org/x/text/language package which could cause a denial of service.
An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue was discovered by OSS-Fuzz and reported to us by Adam Korczynski (ADA Logics), and is tracked as CVE-2022-32149 and https://go.dev/issue/56152. Cheers, Roland on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CADAOFNQDrikAwrnvORhY8Ze14SBJdR_A4Tb%2B%3DOfq%3DnNZyC4wbA%40mail.gmail.com.
