Updated golang packages fix security vulnerabilities
Publication date: 21 Jan 2018Modification date: 21 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-15041 , CVE-2017-15042
Description
An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side (CVE-2017-15041). It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application (CVE-2017-15042).
References
SRPMS
6/core
- golang-1.9.1-1.mga6