Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go: security update to 1.11.4 #1537

Closed
l2dy opened this issue Dec 15, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@l2dy
Copy link
Contributor

commented Dec 15, 2018

CVE IDs: CVE-2018-16873, CVE-2018-16874, CVE-2018-16875

Other security advisory IDs: N/A

Descriptions:
Below is excerpted from https://www.openwall.com/lists/oss-security/2018/12/14/9.

We have released Go 1.11.3 and Go 1.10.6 to address three recently
reported security issues. You can see an announcement at
https://groups.google.com/d/msg/golang-announce/Kw31K8G7Fi0/z2olKn-QCAAJ.
[...]
There are three vulnerabilities being addressed by the security release:
• cmd/go: remote command execution during "go get -u"
• cmd/go: directory traversal in "go get" via curly braces in import paths
• crypto/x509: CPU denial of service in chain validation

PoC(s):
See following Go issues.

The issue is CVE-2018-16873 and Go issue https://golang.org/issue/29230.
The issue is CVE-2018-16874 and Go issue https://golang.org/issue/29231.
The issue is CVE-2018-16875 and Go issue https://golang.org/issue/29233.

Architectural progress:

  • AMD64 amd64
  • AArch64 arm64
  • ARMv7 armel

@MingcongBai MingcongBai changed the title go: security update to 1.11.4 / 1.10.7 go: security update to 1.11.4 Jan 14, 2019

@MingcongBai

This comment has been minimized.

Copy link
Member

commented Jan 14, 2019

PowerPC 64-bit Big Endian (ppc64) will not receive security update for this issue.

MingcongBai added a commit that referenced this issue Jan 14, 2019

@MingcongBai

This comment has been minimized.

Copy link
Member

commented Jan 25, 2019

Fixed with 0cbe8cf. Closing.

@l2dy

This comment has been minimized.

Copy link
Contributor Author

commented Jan 25, 2019

Use AOSA-2019-0007.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.