reports: add GO-2021-0238 for CVE-2021-33194
Fixes golang/vulndb#238
Change-Id: I69710dc86740bb0a4753231e36374e7b4dbfed34
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377535
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/reports/GO-2021-0238.yaml b/reports/GO-2021-0238.yaml
new file mode 100644
index 0000000..98c8cb5
--- /dev/null
+++ b/reports/GO-2021-0238.yaml
@@ -0,0 +1,18 @@
+module: golang.org/x/net
+package: golang.org/x/net/html
+versions:
+- fixed: v0.0.0-20210520170846-37e1c6afe023
+description: |
+ An attacker can craft an input to ParseFragment that causes it
+ to enter an infinite loop and never return.
+cves:
+- CVE-2021-33194
+credit: discovered by OSS-Fuzz and reported by Andrew Thornton
+symbols:
+- inHeadIM
+links:
+ pr: https://go.dev/cl/311090
+ commit: https://go.googlesource.com/net/+/37e1c6afe02340126705deced573a85ab75209d7
+ context:
+ - https://go.dev/issue/46288
+ - https://groups.google.com/g/golang-announce/c/wPunbCPkWUg
