Debian 9 Stretch: DLA-2591-1 Critical: Golang Remote Code Issues
debian lts
March 13, 2021
Several vulnerabilities were discovered in the Go programming language
Summary
CVE-2017-15041
Go allows "go get" remote command execution. Using custom
domains, it is possible to arrange things so that
/pkg1 points to a Subversion repository but
/pkg1/pkg2 points to a Git repository. If the
Subversion repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper
ordering of operations, "go get" can be tricked into reusing this
Git checkout for the fetch of code from pkg2. If the Subversion
repository's Git checkout has malicious commands in .git/hooks/,
they will execute on the system running "go get."
CVE-2018-16873
The "go get" command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, as it may treat the parent directory as a Git repository
root, containing malicious configuration.
CVE-2018-16874
The "go get" command is vulnerable to directory traversal when
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: golang-1.7
Version: 1.7.4-2+deb9u3
CVE ID: CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
Debian Bug: 924630 941173 942628 942629
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!