Advisories » MGASA-2018-0089

Updated golang packages fix security vulnerabilities

Publication date: 21 Jan 2018
Modification date: 21 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-15041 , CVE-2017-15042

Description

An arbitrary command execution flaw was found in the way Go's "go get"
command handled the checkout of source code repositories. A remote
attacker capable of hosting malicious repositories could potentially use
this flaw to cause arbitrary command execution on the client side
(CVE-2017-15041).

It was found that smtp.PlainAuth authentication scheme in Go did not
verify the TLS requirement properly. A remote man-in-the-middle attacker
could potentially use this flaw to sniff SMTP credentials sent by a Go
application (CVE-2017-15042).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=21857
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AHH5B4WHCPTVEM6APRVXRWLFOR325CCD/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15041
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15042

SRPMS

6/core

• golang-1.9.1-1.mga6