encoding/xml:What is the fix plan for the CVE-2020-29510 vulnerability in go1.14?

[shgsky]

What version of Go are you using (go version)?

$ go version
go1.14.12

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

go env Output

$ go env

What did you do?

What did you expect to see?

What is the fix plan for the CVE-2020-29510 vulnerability in go1.14?

What did you see instead?

[randall77]

Related, #43168 . That's more about what we should do for 1.16. I think it would be a tall order to backport the solutions being talked about to 1.14, they seem pretty large and/or invasive.

[rsc]

The plan is not to backport anything to Go 1.14. (Otherwise we'd have done a security release already.)
We are willing to look into ways to make encoding/xml more helpful to clients generally, but security-critical uses of XML should be using their own code instead of admitting all of encoding/xml into their security perimeters.

If you are using one of the affected SAML libraries, the solution is to update to the latest version of that library. Because we didn't make any changes in Go 1.14 or Go 1.15, the update should work regardless of which Go version you are using.