SecurityHome.eu [gentoo-announce] [ GLSA 201812-09 ] Go: Multiple vulnerabilities

Home / mailings PDF

[gentoo-announce] [ GLSA 201812-09 ] Go: Multiple vulnerabilities
Posted on 21 December 2018
Gentoo-announce
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--K3RyAmd70woAHmro0j7eYYONkBgpLvdS7
Content-Type: multipart/mixed; boundary="ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb";
protected-headers="v1"
From: Mikle Kolyada <zlogene@gentoo.org>
To: gentoo-announce@lists.gentoo.org
Message-ID: <07cb88eb-aade-d606-84a6-e23876ef364f@gentoo.org>
Subject: [ GLSA 201812-09 ] Go: Multiple vulnerabilities

--ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb
Content-Type: multipart/mixed;
boundary="------------84DFD464E808500A87F476B5"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------84DFD464E808500A87F476B5
Content-Type: multipart/alternative;
boundary="------------851620759308F8A57B1E8B6F"

--------------851620759308F8A57B1E8B6F
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201812-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========
Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background
==========
Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/go < 1.10.7 >= 1.10.7

Description
===========
Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
======
A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the 'go get -u' command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround
==========
There is no known workaround at this time.

Resolution
==========
All Go users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/go-1.10.7"

References
==========
[ 1 ] CVE-2018-16873
https://nvd.nist.gov/vuln/detail/CVE-2018-16873
[ 2 ] CVE-2018-16874
https://nvd.nist.gov/vuln/detail/CVE-2018-16874
[ 3 ] CVE-2018-16875
https://nvd.nist.gov/vuln/detail/CVE-2018-16875

Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201812-09

Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

--------------851620759308F8A57B1E8B6F
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF=-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<pre style="color: rgb(0, 0, 0); font-style: normal; font-variant-l=igatures: normal; font-variant-caps: normal; font-weight: 400; letter-spa=cing: normal; orphans: 2; text-align: start; text-indent: 0px; text-trans=form: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;= text-decoration-style: initial; text-decoration-color: initial; overflow=-wrap: break-word; white-space: pre-wrap;">- - - - - - - - - - - - - - - =- - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201812-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<a class="moz-txt-link-freet=ext" href="https://security.gentoo.org/">https://security.gentoo.org/</=a>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========
Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background
==========
Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/go < 1.10.7 >= 1.=10.7

Description
===========
Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
======
A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the 'go get -u' command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround
==========
There is no known workaround at this time.

Resolution
==========
All Go users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/go-1.10.7"

References
==========
[ 1 ] CVE-2018-16873
<a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vul=n/detail/CVE-2018-16873">https://nvd.nist.gov/vuln/detail/CVE-2018-16873<=/a>
[ 2 ] CVE-2018-16874
<a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vul=n/detail/CVE-2018-16874">https://nvd.nist.gov/vuln/detail/CVE-2018-16874<=/a>
[ 3 ] CVE-2018-16875
<a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vul=n/detail/CVE-2018-16875">https://nvd.nist.gov/vuln/detail/CVE-2018-16875<=/a>

Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

<a class="moz-txt-link-freetext" href="https://security.gentoo.org/g=lsa/201812-09">https://security.gentoo.org/glsa/201812-09</a>

Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
<a class="moz-txt-link-abbreviated" href="mailto:security@gentoo.org"=>security@gentoo.org</a> or alternatively, you may file a bug at
<a class="moz-txt-link-freetext" href="https://bugs.gentoo.org">https=://bugs.gentoo.org</a>.

License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

<a class="moz-txt-link-freetext" href="https://creativecommons.org/li=censes/by-sa/2.5">https://creativecommons.org/licenses/by-sa/2.5</a></pre=>
</body>
</html>

--------------851620759308F8A57B1E8B6F--

--------------84DFD464E808500A87F476B5
Content-Type: application/pgp-keys;
name="0x3E7E1C21A9D14B97.asc"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="0x3E7E1C21A9D14B97.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFtCkdwBCAC7LGb65KM8ZhysEDzbBnggTsUMXMZ3pJWFQtLaxm8f99p2HL9G
FcEP94A6BXExWzMcIba/AdL0ogU2mS/Jbs7DHUFVRT3yQDtiq+md5h3hZvi52QyR
lELWG9ElDLuUse5E58WJgLx+SXD5qgUowqTgCzNbXAJQNKQtNWIC+Zy29m53Xj8y
BnRsRuwd0kO/Zn7DJL5dCKL2ItzfJNpG5MTayLyNkl3QgCqPPFsQEd7aqqqhxq1p
n/dwX22vyMJwsv/6SV5vaNTYSg9p8hVnr3mLVYg6/UIvwAIgNJKhQlG1bkoOq5+j
gq8a7GdRUeY8fHSqLERucmal8fBqWmvZH+jRABEBAAG0Ik1pa2xlIEtvbHlhZGEg
PHpsb2dlbmVAZ2VudG9vLm9yZz6JAVQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AWIQRRPEwdu6XuhrjZQ70+fhwhqdFLlwUCW2fApgUJBEPeygAKCRA+
fhwhqdFLl7CeB/9qYF51wrMuzpLW/znrH0YZmYo9pm7kmLxbWezJH74hH97rJOer
X+RoNR0nAGrBdZzObiHWhXah5BFrln8Fyv8oE5IDnO9OCN+PE8hXSSSYv6VvtNX6
FXgMaqvRXC5kd1/ugvpPmwbbfTp0uasRATjlsXSfb7FAMLAcP2lYbv1dFA2mUHNC
tFtIg7Zu+KJTXyeNwPEXrMtgt4j3zL96Drq1AOxkR5D5pPYnzJG+xrOpRoarXVjC
I6MsYYKd+E6WRQPIgkeY4mxKFBK3sSNQMAY+FNiWNK3G4529zCLzekv4KQHDSRnf
OhfevOogiUCnNUWl9pRDI7uRfSjP0JZwwLi2iQFUBBMBCAA+FiEEUTxMHbul7oa4
2UO9Pn4cIanRS5cFAltCkdwCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQPn4cIanRS5dyZAgAhPdVONCC3WnRpGu6wQjPEbuzD002MxSPgLwXDprG
yc1DW03YkDP2AdDpLCq7t6nYbsqkhptUOlAFPuIHTGHQayCJPRUCV9prhHywjAKL
FOwwWrhqDF6L+noQ1/G6E4UjtCCz+wvM0P0xo/NuNsdJCFMAT2OzheuMgD96H5UB
ypC2437zGof+s2a3SydM1nlDrr95slJbjQw8uqleGXmZc/d862R45cDGahnjoCyA
Cr6tt3ZySTWPokJujhDjCAmvcyQj/bKfSnL3ebdEtVybwLmyF1mOzlx5Pon2smkO
gT0y5wcsaIJ6lLViGf6dDpMUefec78XnGxBxwldB+WzEarkBDQRbQpIkAQgApF3j
Xmo4Pn+lygxiTh58TLNz1Hmmqsd+sEZHr81o2NtFcM0mDqts53Vz//Us+5qyXNmk
EV0gH20nib7CJxv48gSN789i5uqUcdxZMx2rY5YuZRIbTOgkCKX2fUadfGIiX645
2of91HrAXpGwTqLsUL+tfPM/x3YpaLeqKb4da3dbARO7oAfcOxNdXvdm0S37swsW
v4ChLtgpx9/M6uT0FLxVcUWLinlVw2khWXPSBTbsrE1uRGTmqMC+sHnmBZLQoZrz
kf1pUlgSJJq6kUsKiVqI9MNlQ7f6cwBNEbUNYM7THKcyji0n8j64D991AG+1WP34
zsKIIKhUtL93RII/8wARAQABiQJyBBgBCAAmFiEEUTxMHbul7oa42UO9Pn4cIanR
S5cFAltCkiQCGwIFCQHhM4ABQAkQPn4cIanRS5fAdCAEGQEIAB0WIQRabIEacj4S
KHDp03wcgJAkipWXxwUCW0KSJAAKCRAcgJAkipWXx9DMB/9326kinWmCwELyJ7x/
A3qZUyIT+7jguKbJYGb8bzXdrS63FggbXSgEZCiOrQu45otEGb929nPCXum0PAg6
5uu8BfLq4ZjRI6757TmwpLvfQ+bkChGwHHZQN0EieDdeX/3oWUhLyMMsNiBiHQVN
egpvpM2htYkPxxpoVLUYL+IOKXwBoVlxM8u0+10OkLat1DM4d+WhWMOT3cJkNQQZ
v85dJ86c2T3eZ9c6gK7ZCbBv5so55q9Q9/n7I2I8XPPX+S2e4ZdmuCyiNFTab6mL
IPfNbGKwu4Muo/wZKpik2m3UnJFNdfr4Wo5wakW/92Kd44lcUlpFfBWzTPcjBdiv
f3hrfkoH/RO3h3SF6lomAOuRpsQ5VRP6uSteksXBdsQRmjTnRH6+q5W4FGpAar1S
D5nt+3ZoKINqVbIsFYMWk5eykIXTT0Y16rSNqR+RprH02DpF9bKJDYUsDSJy6Oar
3sxx+3M+FUXODrqz5OrH3gkbFg569NyNNf+xESm1F1x3lIwMwAl87/BKy96PW/NM
65s8XsEZKdf9XEhxLY8nPDcbEsUd3nCP82QlDaBA10wheYzY7gSvAx1f88X5yLyg
dZc6Fo2b+9ezviNdtiqsrIPb3mAbdv65jY/muxfbX4GWCnzEmbnoXfuNajim+4qQ
uqku4L0JTMOsjCPq9BkHQd1Kx1rnRBO5AQ0EW0KT9AEIAK6E3GSqIPUE962Bejw1
kVZNTAbCYAzOV5dmpmaj+U1ThMF4EDbun+a8LHwDUagnbEn4Z96HWJj1qGMtYUQh
WXl3AxHOpebRuSURrfUiMawhT7H536WNoeZZfcnMYr3in94PsVDu9lBLQ2Pe/VtC
2dv8cQzmlneVxirfg5p3LMeLzJLQoueGuDNyVpyyan8eZz+4CFlzas6hBFBSGdjW
yRaT7vPY284JVXIH6Vlag4q5zpNe8IdQteWBZGR5XpPhK8G7H0toRhEqqSUbuatz
GrWFmL1cBoApHbTkcFoLlSnQUt7DhKPiBSLHJIJZ0d5avhJV43ur1RaqXCQAdCvQ
DDEAEQEAAYkBPAQYAQgAJhYhBFE8TB27pe6GuNlDvT5+HCGp0UuXBQJbQpP0AhsM
BQkB4TOAAAoJED5+HCGp0UuXw5oIALku6SiOXMKD6GwsNdIa3TNqPvnVkZ1SNxGS
RTxShuMnnu0aoG/KeX+ymNyZxmuC4UFKcD/7E4p8YLqRzOvwfg46QAhTyibBLWuK
RxDZDNh9PHmEiWFVwpdUIk661HeGBt2ecoQGGS77Hw7AayqS8KdHPRPzi/AWGe9i
9WDg2fYf+w510ENlBrpukhlKmlvVHaxzg/D3O58Yuh3TYMvXp48WCtxbnnYea14i
JfBhLHn8Nm7xHCD8diH9FcNo1k0PI7lgT9dF8/dDuiR8SgYr+iMd6YHmIOLvlE9L
AKvVzNMR7BkcZAFz7JlEYdVei6zFeeoWWTwwBRa6JcmeBW0x5Wo==k4pb
-----END PGP PUBLIC KEY BLOCK-----

--------------84DFD464E808500A87F476B5--

--ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb--

--K3RyAmd70woAHmro0j7eYYONkBgpLvdS7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

TOP

Mailings :

Last 20

Exploits :

Last 20