go

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Core compiler tools for the Go programming language
Version 2:1.11.4-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-835 2:1.11.2-2 2:1.11.3-1 High Fixed
AVG-606 1.9.3-1 1.9.4-1 High Fixed
AVG-442 2:1.9-1 2:1.9.1-1 High Fixed
AVG-433 2:1.7-1 2:1.8-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2018-6574 AVG-606 High Yes Arbitrary code execution
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by...
CVE-2018-16875 AVG-835 Medium Yes Denial of service
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might...
CVE-2018-16874 AVG-835 High Yes Directory traversal
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go...
CVE-2018-16873 AVG-835 High Yes Arbitrary command execution
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path...
CVE-2017-15041 AVG-442 High Yes Arbitrary command execution
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that...
CVE-2017-1000098 AVG-433 High Yes Denial of service
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit....

Advisories

Date Advisory Group Severity Description
18 Dec 2018 ASA-201812-11 AVG-835 High multiple issues
09 Feb 2018 ASA-201802-2 AVG-606 High arbitrary code execution
12 Oct 2017 ASA-201710-15 AVG-442 High arbitrary command execution