ALT Linux Team

Package golang update in sisyphus on 2018-05-05

ALT-PU-2018-1655-1

Package golang updated to version 1.10.2-alt1 for branch sisyphus in task 205551.

Closed vulnerabilities

Published: 2018-02-16

BDU:2018-00493

Уязвимость реализации команды «go get» языка программирования Go, позволяющая нарушителю выполнять произвольные команды

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2018-02-07

BDU:2019-00903

Уязвимость реализации команды «go get» программного пакета Go, позволяющая нарушителю удаленно выполнить команду «go get»

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-02-08
Modified: 2024-11-21

CVE-2018-6574

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Severity: HIGH (7.8) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-02-16
Modified: 2024-11-21

CVE-2018-7187

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top