ALT-BU-2018-3457-1
Branch p8 update bulletin.
Closed vulnerabilities
BDU:2018-00493
Уязвимость реализации команды «go get» языка программирования Go, позволяющая нарушителю выполнять произвольные команды
BDU:2019-00903
Уязвимость реализации команды «go get» программного пакета Go, позволяющая нарушителю удаленно выполнить команду «go get»
Modified: 2024-11-21
CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
- RHSA-2018:0878
- RHSA-2018:0878
- RHSA-2018:1304
- RHSA-2018:1304
- https://github.com/golang/go/issues/23672
- https://github.com/golang/go/issues/23672
- https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
- https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
- https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
- https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
- https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
- https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
- DSA-4380
- DSA-4380
Modified: 2024-11-21
CVE-2018-7187
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
- https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc
- https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc
- https://github.com/golang/go/issues/23867
- https://github.com/golang/go/issues/23867
- [debian-lts-announce] 20180225 [SECURITY] [DLA 1294-1] golang security update
- [debian-lts-announce] 20180225 [SECURITY] [DLA 1294-1] golang security update
- GLSA-201804-12
- GLSA-201804-12
- DSA-4379
- DSA-4379
- DSA-4380
- DSA-4380
Closed vulnerabilities
BDU:2023-01499
Уязвимость реализации протокола синхронизации времени NTP межсетевого экрана Eltex «ESR-200», позволяющая нарушителю выполнить вредоносный код или повысить свои привилегии в системе
Modified: 2024-11-21
CVE-2018-12327
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.
- 104517
- 104517
- RHSA-2018:3853
- RHSA-2018:3853
- RHSA-2018:3854
- RHSA-2018:3854
- RHSA-2019:2077
- RHSA-2019:2077
- https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f
- https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f
- GLSA-201903-15
- GLSA-201903-15
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us
- USN-4229-1
- USN-4229-1
- 44909
- 44909
Package multipath-tools updated to version 0.7.4-alt1.M80P.1 for branch p8 in task 212600.
Closed bugs
Неправильный pid-файл в /etc/rc.d/init.d/multipathd
Порядок загрузки multipathd и open-iscsi -- sysvinit