Advisories ยป MGASA-2018-0089

Updated golang packages fix security vulnerabilities

Publication date: 21 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-15041 , CVE-2017-15042

Description

An arbitrary command execution flaw was found in the way Go's "go get"
command handled the checkout of source code repositories. A remote
attacker capable of hosting malicious repositories could potentially use
this flaw to cause arbitrary command execution on the client side
(CVE-2017-15041).

It was found that smtp.PlainAuth authentication scheme in Go did not
verify the TLS requirement properly. A remote man-in-the-middle attacker
could potentially use this flaw to sniff SMTP credentials sent by a Go
application (CVE-2017-15042).
                

References

SRPMS

6/core