MGASA-2018-0089

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2018-0089.html

Import Source

https://advisories.mageia.org/MGASA-2018-0089.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2018-0089

Related

Published

2018-01-21T21:31:56Z

Modified

2018-01-21T20:39:44Z

Summary

Updated golang packages fix security vulnerabilities

Details

An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side (CVE-2017-15041).

It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application (CVE-2017-15042).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / golang

Package

Name: golang
Purl: pkg:rpm/mageia/golang?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.1-1.mga6

Ecosystem specific

{
    "section": "core"
}