Product Research Enterprise Plans Docs

PyPi: Hugo

CVE-2023-24538

Transitive

Safety vulnerability ID: 63320

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 06, 2023 Updated at May 05, 2024

Scan your Python projects for vulnerabilities →

Advisory

Hugo 0.114.0 fixes the upstream Go templates bug with reversed key/value assignment, in response to the identified CVE-2023-24538 vulnerability.
https://github.com/gohugoio/hugo/commit/ee359df172ece11989e9b1bf35c2d376f2608ac6

Affected package

hugo

Latest version: 0.125.6

Binaries for the Hugo static site generator, installable with pip

Affected versions

Fixed versions

Vulnerability changelog

The main new thing in this release is that we now support both major versions of the Dart Sass Embedded protocol, which means that you now can use the regular [Dart Sass](https://github.com/sass/dart-sass/releases) binary. We measured the new protocol to be [faster with high concurrency](https://github.com/bep/godartsass/pull/17):

name old time/op new time/op delta
Transpiler/SCSS-10 114µs ± 0% 145µs ± 1% +26.40% (p=0.029 n=4+4)
Transpiler/Start_and_Execute-10 25.6ms ± 2% 26.0ms ± 3% ~ (p=0.486 n=4+4)
Transpiler/SCSS_Parallel-10 89.0µs ± 2% 44.4µs ± 3% -50.12% (p=0.029 n=4+4)

name old alloc/op new alloc/op delta
Transpiler/SCSS-10 1.33kB ± 1% 1.33kB ± 0% ~ (p=1.000 n=4+4)
Transpiler/Start_and_Execute-10 22.4kB ± 1% 22.4kB ± 1% ~ (p=0.886 n=4+4)
Transpiler/SCSS_Parallel-10 1.34kB ± 3% 1.33kB ± 1% ~ (p=1.000 n=4+4)

name old allocs/op new allocs/op delta
Transpiler/SCSS-10 18.0 ± 0% 18.0 ± 0% ~ (all equal)
Transpiler/Start_and_Execute-10 144 ± 1% 150 ± 0% +4.16% (p=0.029 n=4+4)
Transpiler/SCSS_Parallel-10 18.0 ± 0% 18.0 ± 0% ~ (all equal)

We have also moved to a new log library and added some new [math functions](https://gohugo.io/functions/math/) and also revised the existing set to work better with a mix of scalars and slices.

Notes

* We have removed the flags `--log`, `--verboseLog`, added the new flag `--logLevel` and deprecated `--verbose` and `--debug` See 11088
* This release contains a security fix in the upstream Go HTML template library disallowing JavaScript inside backticks by default. See https://github.com/golang/go/issues/59234 If you really need this and are sure this isn't a security risk in your case, you can revert to the old behaviour:

toml
[security]
[security.gotemplates]
allowActionJSTmpl = true

Bug fixes

* common/loggers: Drop the bold INFO etc. prefixes 6dfbd247 bep
* all: Fix some typos 68d9d3eb deining
* all: Fix typos in function names and comments 9009c8cd alexandear
* deploy: Fix deploy defaults for non-zero flag values (e.g. maxDeletes, invalidateCDN) 12dc9a6e bep 11127
* Fix upstream Go templates bug with reversed key/value assignment ee359df1 bep 11112
* tpl/collections: Fix append when appending a slice to a slice of slices d178fe94 bep 11093
* Fix .Width and .Height for animated gifs 21d17566 bep 11079
* Fix config merge regression with root slices (e.g. disableKinds) 60a2cdf7 bep 11089
* Fix handling of aliases (e.g. hugo serve) 0541a1b5 bep 11090
* commands,config: Fix typo in log and error messages b8526f32 alexandear
* Fix indented SASS imports for Dart Sass c782ebd8 bep 11074

Improvements

* Add empty Environ when loading test config 3ab84651 bep
* loggers: Avoid using Logf for the LevelLoggerToWriter f59c3c02 bep
* tocss/dartsas: Avoid using Logf for the internal Dart Sass logging 3ca29b15 bep
* helpers: Remove superflous formatting flag in deprecation warnings fdb0b7fb bep
* common/loggers: Re-add trailing newline in logger.Printf 1b85303a bep 11130
* Replace the old log setup, with structured logging etc. 7c9fada7 bep 11124
* common/collections: Always make a copy of the input slice in Append f73c5675 bep 10458
* Re-add site.RSSLink (and deprecate it) 90b2674d bep 11110
* tpl/math: Allow variadic math functions to take slice args, add math.Product, math.Sum 2ba2271e bep 11030
* commands: Remove flags log, verboseLog, add flag logLevel, deprecate flags verbose and debug ef147f4e bep 9648 11071
* cache: Set default cache path based on $USER 258884f4 Sircular 7391
* resources: Remove failing and superflous test assertion 69f0e88a bep
* helpers: Avoid url.Parse in RelURL and AbsURL if we can ed7e2500 bep
* Adjust benchmarks 6a09e7f2 bep
* Adjust benchmark 29e5cbb6 bep
* Add BenchmarkAbsURL ded68660 bep
* helpers: Improve schema detection when creating relative URLs e1d43021 jmooring 11080
* helpers: Add a basic benchmark for RelURL 5db215d4 bep
* config: Remove unexpected _merge keys introduced in author and social maps b7dc93ca bep 11083
* Upgrade to v2 of the Dart Sass Embedded Protocol f210188d bep 11059

Dependency Updates

* Revert "build(deps): bump gocloud.dev from 0.24.0 to 0.29.0" 59300faa bep
* Revert "deps: Update github.com/tdewolff/minify/v2 v2.12.5 => v2.12.6" 49dd53a4 bep 11132
* build(deps): bump github.com/evanw/esbuild from 0.18.3 to 0.18.4 8a04d47a dependabot[bot]
* build(deps): bump github.com/evanw/esbuild from 0.18.2 to 0.18.3 aaf2e969 dependabot[bot]
* build(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 0f989d5e dependabot[bot]
* build(deps): bump google.golang.org/api from 0.123.0 to 0.127.0 732dcb84 dependabot[bot]
* build(deps): bump golang.org/x/tools from 0.9.1 to 0.9.3 944859f1 dependabot[bot]
* build(deps): bump github.com/kyokomi/emoji/v2 from 2.2.11 to 2.2.12 bb9377b5 dependabot[bot]
* build(deps): bump github.com/getkin/kin-openapi from 0.117.0 to 0.118.0 e88f1b80 dependabot[bot]
* build(deps): bump golang.org/x/net from 0.10.0 to 0.11.0 516f0cb6 dependabot[bot]
* build(deps): bump gocloud.dev from 0.24.0 to 0.29.0 7bed16c3 dependabot[bot]
* build(deps): bump golang.org/x/image from 0.7.0 to 0.8.0 e08cfc8c dependabot[bot]
* build(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 48951956 dependabot[bot]
* build(deps): bump github.com/pelletier/go-toml/v2 from 2.0.6 to 2.0.8 91c0b0f7 dependabot[bot]
* build(deps): bump github.com/evanw/esbuild from 0.17.19 to 0.18.2 baef235d dependabot[bot]
* build(deps): bump go.uber.org/atomic from 1.10.0 to 1.11.0 254c2b32 dependabot[bot]
* build(deps): bump github.com/hairyhenderson/go-codeowners 84f71ba8 dependabot[bot]
* build(deps): bump github.com/frankban/quicktest from 1.14.4 to 1.14.5 82adc972 dependabot[bot]
* build(deps): bump github.com/mattn/go-isatty from 0.0.17 to 0.0.19 60533fdc dependabot[bot]
* build(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.5 261143bb dependabot[bot]

Documentation

* docs: Regen docshelper 9f98b3e7 bep
* docs: Regen CLI docs 7241b5fd bep

Build Setup

* Revert "snap: Transition base snap from core20 to core22 (11101)" (11125) 0e794465 jmooring 11116
* snap: Transition base snap from core20 to core22 (11101) 35e9b3ed jmooring

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24538

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH