update go to go1.20.4

[thaJeztah]

• relates to Bump go packaging#128 (comment)

go1.20.4 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle, crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.20.4
full diff: golang/go@go1.20.3...go1.20.4

from the announcement:

These minor releases include 3 security fixes following the security policy:

• html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

• html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the character
  set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
  actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

• html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

[codecov-commenter]

Codecov Report

Patch and project coverage have no change.

Comparison is base (f09e79d) 55.23% compared to head (fa89a70) 55.23%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #281   +/-   ##
=======================================
  Coverage   55.23%   55.23%           
=======================================
  Files           9        9           
  Lines         668      668           
=======================================
  Hits          369      369           
  Misses        256      256           
  Partials       43       43           

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.