[3.7] go: arbitrary code execution during go get (CVE-2018-6574)
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before
Go 1.10rc2 allow “go get” remote command execution during
source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
(from redmine: issue id 8539, created on 2018-02-22, closed on 2018-02-23)
- Revision 484ebc3a by Natanael Copa on 2018-02-22T22:15:45Z:
community/go: security upgrade to 1.9.4 (CVE-2018-6574) fixes #8539