[3.6] go: Multiple vulnerabilities (CVE-2017-15041, CVE-2017-15042)
CVE-2017-15042: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
It was found that smtp.PlainAuth scheme was vulnerable to
man-in-the-middle attack. smtp.PlainAuth implementation
would send the username and password to man-in-the-middle SMTP server
that doesn’t advertise STARTTLS and
does advertise that PLAIN auth is OK.
Fixed In Version:
golang 1.8.4, golang 1.9.1
References:
https://github.com/golang/go/issues/22134
Patches:
Go 1.8: https://go-review.googlesource.com/c/go/+/68023
Go 1.9: https://go-review.googlesource.com/c/go/+/68210
CVE-2017-15041: arbitrary code execution during “go get” or “go get -d”
Using custom domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository
but example.com/pkg1/pkg2 points to a Git repository. If the Subversion
repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper ordering of
operations, “go get” can be tricked into
reusing this Git checkout for the fetch of code from pkg2. If the
Subversion repository’s Git checkout has a malicious
code in .git/hooks/, it will execute on the system running “go get.”
Fixed In Version:
golang 1.8.4, golang 1.9.1
References:
https://github.com/golang/go/issues/22125
Patches:
Go 1.8: https://go-review.googlesource.com/c/go/+/68190
Go 1.9: https://go-review.googlesource.com/c/go/+/68022
(from redmine: issue id 8043, created on 2017-10-24, closed on 2017-10-24)
- Changesets:
- Revision 7076c303 by Natanael Copa on 2017-10-24T09:34:28Z:
community/go: security upgrade to 1.8.4 (CVE-2017-15041,CVE-2017-15042)
fixes #8043