[ GLSA 201812-09 ] Go: Multiple vulnerabilities


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–K3RyAmd70woAHmro0j7eYYONkBgpLvdS7

protected-headers=”v1″
From: Mikle Kolyada
To: gentoo-announce@lists.gentoo.org
Message-ID:
Subject: [ GLSA 201812-09 ] Go: Multiple vulnerabilities

–ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb

boundary=”————84DFD464E808500A87F476B5″
Content-Language: en-US

This is a multi-part message in MIME format.
————–84DFD464E808500A87F476B5

boundary=”————851620759308F8A57B1E8B6F”

————–851620759308F8A57B1E8B6F

Content-Transfer-Encoding: quoted-printable

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201812-09
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis

Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-lang/go 1.10.7=20

Description

Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact

A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the ‘go get -u’ command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround

There is no known workaround at this time.

Resolution

All Go users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>dev-lang/go-1.10.7”

References

[ 1 ] CVE-2018-16873
https://nvd.nist.gov/vuln/detail/CVE-2018-16873
[ 2 ] CVE-2018-16874
https://nvd.nist.gov/vuln/detail/CVE-2018-16874
[ 3 ] CVE-2018-16875
https://nvd.nist.gov/vuln/detail/CVE-2018-16875

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201812-09

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

————–851620759308F8A57B1E8B6F

Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - =
- - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201812-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Go: Multiple vulnerabilities
     Date: December 21, 2018
     Bugs: #673234
       ID: 201812-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background


Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages


    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  dev-lang/go                  < 1.10.7                  > 1.=
10.7=20

Description


Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact


A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the 'go get -u' command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround


There is no known workaround at this time.

Resolution


All Go users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">dev-lang/go-1.10.7"

References


[ 1 ] CVE-2018-16873
      https://nvd.nist.gov/vuln/detail/CVE-2018-16873
[ 2 ] CVE-2018-16874
      https://nvd.nist.gov/vuln/detail/CVE-2018-16874
[ 3 ] CVE-2018-16875
      https://nvd.nist.gov/vuln/detail/CVE-2018-16875

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201812-09

Concerns?


Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https=
://bugs.gentoo.org.

License


Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

————–851620759308F8A57B1E8B6F–

————–84DFD464E808500A87F476B5

name=”0x3E7E1C21A9D14B97.asc”
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename=”0x3E7E1C21A9D14B97.asc”

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQENBFtCkdwBCAC7LGb65KM8ZhysEDzbBnggTsUMXMZ3pJWFQtLaxm8f99p2HL9G
FcEP94A6BXExWzMcIba/AdL0ogU2mS/Jbs7DHUFVRT3yQDtiq+md5h3hZvi52QyR
lELWG9ElDLuUse5E58WJgLx+SXD5qgUowqTgCzNbXAJQNKQtNWIC+Zy29m53Xj8y
BnRsRuwd0kO/Zn7DJL5dCKL2ItzfJNpG5MTayLyNkl3QgCqPPFsQEd7aqqqhxq1p
n/dwX22vyMJwsv/6SV5vaNTYSg9p8hVnr3mLVYg6/UIvwAIgNJKhQlG1bkoOq5+j
gq8a7GdRUeY8fHSqLERucmal8fBqWmvZH+jRABEBAAG0Ik1pa2xlIEtvbHlhZGEg
PHpsb2dlbmVAZ2VudG9vLm9yZz6JAVQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AWIQRRPEwdu6XuhrjZQ70+fhwhqdFLlwUCW2fApgUJBEPeygAKCRA+
fhwhqdFLl7CeB/9qYF51wrMuzpLW/znrH0YZmYo9pm7kmLxbWezJH74hH97rJOer
X+RoNR0nAGrBdZzObiHWhXah5BFrln8Fyv8oE5IDnO9OCN+PE8hXSSSYv6VvtNX6
FXgMaqvRXC5kd1/ugvpPmwbbfTp0uasRATjlsXSfb7FAMLAcP2lYbv1dFA2mUHNC
tFtIg7Zu+KJTXyeNwPEXrMtgt4j3zL96Drq1AOxkR5D5pPYnzJG+xrOpRoarXVjC
I6MsYYKd+E6WRQPIgkeY4mxKFBK3sSNQMAY+FNiWNK3G4529zCLzekv4KQHDSRnf
OhfevOogiUCnNUWl9pRDI7uRfSjP0JZwwLi2iQFUBBMBCAA+FiEEUTxMHbul7oa4
2UO9Pn4cIanRS5cFAltCkdwCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQPn4cIanRS5dyZAgAhPdVONCC3WnRpGu6wQjPEbuzD002MxSPgLwXDprG
yc1DW03YkDP2AdDpLCq7t6nYbsqkhptUOlAFPuIHTGHQayCJPRUCV9prhHywjAKL
FOwwWrhqDF6L+noQ1/G6E4UjtCCz+wvM0P0xo/NuNsdJCFMAT2OzheuMgD96H5UB
ypC2437zGof+s2a3SydM1nlDrr95slJbjQw8uqleGXmZc/d862R45cDGahnjoCyA
Cr6tt3ZySTWPokJujhDjCAmvcyQj/bKfSnL3ebdEtVybwLmyF1mOzlx5Pon2smkO
gT0y5wcsaIJ6lLViGf6dDpMUefec78XnGxBxwldB+WzEarkBDQRbQpIkAQgApF3j
Xmo4Pn+lygxiTh58TLNz1Hmmqsd+sEZHr81o2NtFcM0mDqts53Vz//Us+5qyXNmk
EV0gH20nib7CJxv48gSN789i5uqUcdxZMx2rY5YuZRIbTOgkCKX2fUadfGIiX645
2of91HrAXpGwTqLsUL+tfPM/x3YpaLeqKb4da3dbARO7oAfcOxNdXvdm0S37swsW
v4ChLtgpx9/M6uT0FLxVcUWLinlVw2khWXPSBTbsrE1uRGTmqMC+sHnmBZLQoZrz
kf1pUlgSJJq6kUsKiVqI9MNlQ7f6cwBNEbUNYM7THKcyji0n8j64D991AG+1WP34
zsKIIKhUtL93RII/8wARAQABiQJyBBgBCAAmFiEEUTxMHbul7oa42UO9Pn4cIanR
S5cFAltCkiQCGwIFCQHhM4ABQAkQPn4cIanRS5fAdCAEGQEIAB0WIQRabIEacj4S
KHDp03wcgJAkipWXxwUCW0KSJAAKCRAcgJAkipWXx9DMB/9326kinWmCwELyJ7x/
A3qZUyIT+7jguKbJYGb8bzXdrS63FggbXSgEZCiOrQu45otEGb929nPCXum0PAg6
5uu8BfLq4ZjRI6757TmwpLvfQ+bkChGwHHZQN0EieDdeX/3oWUhLyMMsNiBiHQVN
egpvpM2htYkPxxpoVLUYL+IOKXwBoVlxM8u0+10OkLat1DM4d+WhWMOT3cJkNQQZ
v85dJ86c2T3eZ9c6gK7ZCbBv5so55q9Q9/n7I2I8XPPX+S2e4ZdmuCyiNFTab6mL
IPfNbGKwu4Muo/wZKpik2m3UnJFNdfr4Wo5wakW/92Kd44lcUlpFfBWzTPcjBdiv
f3hrfkoH/RO3h3SF6lomAOuRpsQ5VRP6uSteksXBdsQRmjTnRH6+q5W4FGpAar1S
D5nt+3ZoKINqVbIsFYMWk5eykIXTT0Y16rSNqR+RprH02DpF9bKJDYUsDSJy6Oar
3sxx+3M+FUXODrqz5OrH3gkbFg569NyNNf+xESm1F1x3lIwMwAl87/BKy96PW/NM
65s8XsEZKdf9XEhxLY8nPDcbEsUd3nCP82QlDaBA10wheYzY7gSvAx1f88X5yLyg
dZc6Fo2b+9ezviNdtiqsrIPb3mAbdv65jY/muxfbX4GWCnzEmbnoXfuNajim+4qQ
uqku4L0JTMOsjCPq9BkHQd1Kx1rnRBO5AQ0EW0KT9AEIAK6E3GSqIPUE962Bejw1
kVZNTAbCYAzOV5dmpmaj+U1ThMF4EDbun+a8LHwDUagnbEn4Z96HWJj1qGMtYUQh
WXl3AxHOpebRuSURrfUiMawhT7H536WNoeZZfcnMYr3in94PsVDu9lBLQ2Pe/VtC
2dv8cQzmlneVxirfg5p3LMeLzJLQoueGuDNyVpyyan8eZz+4CFlzas6hBFBSGdjW
yRaT7vPY284JVXIH6Vlag4q5zpNe8IdQteWBZGR5XpPhK8G7H0toRhEqqSUbuatz
GrWFmL1cBoApHbTkcFoLlSnQUt7DhKPiBSLHJIJZ0d5avhJV43ur1RaqXCQAdCvQ
DDEAEQEAAYkBPAQYAQgAJhYhBFE8TB27pe6GuNlDvT5+HCGp0UuXBQJbQpP0AhsM
BQkB4TOAAAoJED5+HCGp0UuXw5oIALku6SiOXMKD6GwsNdIa3TNqPvnVkZ1SNxGS
RTxShuMnnu0aoG/KeX+ymNyZxmuC4UFKcD/7E4p8YLqRzOvwfg46QAhTyibBLWuK
RxDZDNh9PHmEiWFVwpdUIk661HeGBt2ecoQGGS77Hw7AayqS8KdHPRPzi/AWGe9i
9WDg2fYf+w510ENlBrpukhlKmlvVHaxzg/D3O58Yuh3TYMvXp48WCtxbnnYea14i
JfBhLHn8Nm7xHCD8diH9FcNo1k0PI7lgT9dF8/dDuiR8SgYr+iMd6YHmIOLvlE9L
AKvVzNMR7BkcZAFz7JlEYdVei6zFeeoWWTwwBRa6JcmeBW0x5Wo
k4pb
—–END PGP PUBLIC KEY BLOCK—–

————–84DFD464E808500A87F476B5–

–ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb–

–K3RyAmd70woAHmro0j7eYYONkBgpLvdS7

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQEzBAEBCAAdFiEEWmyBGnI+Eihw6dN8HICQJIqVl8cFAlwc1jQACgkQHICQJIqV
l8fkBQf+NjoiLsIvJobDU/lWkH4QHN1uOVMPyTi6DC+4zvDhrUSWTXWZp7FmRAoS
HWnsqAB6ooYYwNwe/FyhWxeQZi68jC5UR82DZqsuiWZ/N/F6eD62+pERaFdZmlGl
bQABPZ+hLLfsUs1jiz/swH3kfz1trZNHzGqE9qpW+wfX0yFbe+e0fjRCxNoQLh22
NgTFbWQpz0UANjNZ9YmT/52bKt83wDT0gMu2q53RVUPyk1PtI7Q2q9MBQsmAGc7q
zb0BBDNSF5g2pKi3gnCt6e+rsRv0oQDpprl0XOqLUNqXDOVGvyOQwYfr+g6zaV3K
yRl6xrCpjmrOKI5p7Juk6SO4/w+N6w==
=KEwa
—–END PGP SIGNATURE—–

–K3RyAmd70woAHmro0j7eYYONkBgpLvdS7–