AVG-835 log
| Package | go, go-pie |
| Status | Fixed |
| Severity | High |
| Type | multiple issues |
| Affected | 2:1.11.2-2 |
| Fixed | 2:1.11.3-1 |
| Current | 2:1.25.4-1 [extra] |
| Ticket | None |
| Created | Sat Dec 15 17:25:13 2018 |
| Issue | Severity | Remote | Type | Description |
|---|---|---|---|---|
| CVE-2018-16875 | Medium | Yes | Denial of service | The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might... |
| CVE-2018-16874 | High | Yes | Directory traversal | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go... |
| CVE-2018-16873 | High | Yes | Arbitrary command execution | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path... |
| Date | Advisory | Package | Type |
|---|---|---|---|
| 18 Dec 2018 | ASA-201812-12 | go-pie | multiple issues |
| 18 Dec 2018 | ASA-201812-11 | go | multiple issues |
| References |
|---|
https://groups.google.com/forum/#!msg/golang-announce/Kw31K8G7Fi0/z2olKn-QCAAJ |