Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Go
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Go
ID: 201812-09
Distribution: Gentoo
Plattformen: Keine Angabe
Datum: Fr, 21. Dezember 2018, 13:47
Referenzen: https://nvd.nist.gov/vuln/detail/CVE-2018-16873
https://nvd.nist.gov/vuln/detail/CVE-2018-16875
https://nvd.nist.gov/vuln/detail/CVE-2018-16874
Applikationen: Go

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--K3RyAmd70woAHmro0j7eYYONkBgpLvdS7
Content-Type: multipart/mixed;
boundary="ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb";
protected-headers="v1"
From: Mikle Kolyada <zlogene@gentoo.org>
To: gentoo-announce@lists.gentoo.org
Message-ID: <07cb88eb-aade-d606-84a6-e23876ef364f@gentoo.org>
Subject: [ GLSA 201812-09 ] Go: Multiple vulnerabilities

--ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb
Content-Type: multipart/mixed;
boundary="------------84DFD464E808500A87F476B5"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------84DFD464E808500A87F476B5
Content-Type: multipart/alternative;
boundary="------------851620759308F8A57B1E8B6F"


--------------851620759308F8A57B1E8B6F
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201812-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background
==========

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/go < 1.10.7 >= 1.10.7

Description
===========

Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
======

A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the 'go get -u' command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Go users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/go-1.10.7"

References
==========

[ 1 ] CVE-2018-16873
https://nvd.nist.gov/vuln/detail/CVE-2018-16873
[ 2 ] CVE-2018-16874
https://nvd.nist.gov/vuln/detail/CVE-2018-16874
[ 3 ] CVE-2018-16875
https://nvd.nist.gov/vuln/detail/CVE-2018-16875

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201812-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5


--------------851620759308F8A57B1E8B6F
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>

<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3DUTF=
-8">
</head>
<body text=3D"#000000" bgcolor=3D"#FFFFFF">
<pre style=3D"color: rgb(0, 0, 0); font-style: normal;
font-variant-l=
igatures: normal; font-variant-caps: normal; font-weight: 400; letter-spa=
cing: normal; orphans: 2; text-align: start; text-indent: 0px; text-trans=
form: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;=
text-decoration-style: initial; text-decoration-color: initial; overflow=
-wrap: break-word; white-space: pre-wrap;">- - - - - - - - - - - - - - -
=
- - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201812-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<a
class=3D"moz-txt-link-freet=
ext" href=3D"https://security.gentoo.org/">https://security.gentoo.org/</=
a>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/go &lt; 1.10.7 &gt;=3D
1.=
10.7=20

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the 'go get -u' command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All Go users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=3Ddev-lang/go-1.10.7"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ 1 ] CVE-2018-16873
<a class=3D"moz-txt-link-freetext" href=3D"https://nvd.nist.gov/vul=
n/detail/CVE-2018-16873">https://nvd.nist.gov/vuln/detail/CVE-2018-16873<=
/a>
[ 2 ] CVE-2018-16874
<a class=3D"moz-txt-link-freetext" href=3D"https://nvd.nist.gov/vul=
n/detail/CVE-2018-16874">https://nvd.nist.gov/vuln/detail/CVE-2018-16874<=
/a>
[ 3 ] CVE-2018-16875
<a class=3D"moz-txt-link-freetext" href=3D"https://nvd.nist.gov/vul=
n/detail/CVE-2018-16875">https://nvd.nist.gov/vuln/detail/CVE-2018-16875<=
/a>

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

<a class=3D"moz-txt-link-freetext" href=3D"https://security.gentoo.org/g=
lsa/201812-09">https://security.gentoo.org/glsa/201812-09</a>

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
<a class=3D"moz-txt-link-abbreviated"
href=3D"mailto:security@gentoo.org"=
>security@gentoo.org</a> or alternatively, you may file a bug at
<a class=3D"moz-txt-link-freetext" href=3D"https://bugs.gentoo.org">https=
://bugs.gentoo.org</a>.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

<a class=3D"moz-txt-link-freetext" href=3D"https://creativecommons.org/li=
censes/by-sa/2.5">https://creativecommons.org/licenses/by-sa/2.5</a></pre=
>
</body>
</html>

--------------851620759308F8A57B1E8B6F--

--------------84DFD464E808500A87F476B5
Content-Type: application/pgp-keys;
name="0x3E7E1C21A9D14B97.asc"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="0x3E7E1C21A9D14B97.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFtCkdwBCAC7LGb65KM8ZhysEDzbBnggTsUMXMZ3pJWFQtLaxm8f99p2HL9G
FcEP94A6BXExWzMcIba/AdL0ogU2mS/Jbs7DHUFVRT3yQDtiq+md5h3hZvi52QyR
lELWG9ElDLuUse5E58WJgLx+SXD5qgUowqTgCzNbXAJQNKQtNWIC+Zy29m53Xj8y
BnRsRuwd0kO/Zn7DJL5dCKL2ItzfJNpG5MTayLyNkl3QgCqPPFsQEd7aqqqhxq1p
n/dwX22vyMJwsv/6SV5vaNTYSg9p8hVnr3mLVYg6/UIvwAIgNJKhQlG1bkoOq5+j
gq8a7GdRUeY8fHSqLERucmal8fBqWmvZH+jRABEBAAG0Ik1pa2xlIEtvbHlhZGEg
PHpsb2dlbmVAZ2VudG9vLm9yZz6JAVQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AWIQRRPEwdu6XuhrjZQ70+fhwhqdFLlwUCW2fApgUJBEPeygAKCRA+
fhwhqdFLl7CeB/9qYF51wrMuzpLW/znrH0YZmYo9pm7kmLxbWezJH74hH97rJOer
X+RoNR0nAGrBdZzObiHWhXah5BFrln8Fyv8oE5IDnO9OCN+PE8hXSSSYv6VvtNX6
FXgMaqvRXC5kd1/ugvpPmwbbfTp0uasRATjlsXSfb7FAMLAcP2lYbv1dFA2mUHNC
tFtIg7Zu+KJTXyeNwPEXrMtgt4j3zL96Drq1AOxkR5D5pPYnzJG+xrOpRoarXVjC
I6MsYYKd+E6WRQPIgkeY4mxKFBK3sSNQMAY+FNiWNK3G4529zCLzekv4KQHDSRnf
OhfevOogiUCnNUWl9pRDI7uRfSjP0JZwwLi2iQFUBBMBCAA+FiEEUTxMHbul7oa4
2UO9Pn4cIanRS5cFAltCkdwCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQPn4cIanRS5dyZAgAhPdVONCC3WnRpGu6wQjPEbuzD002MxSPgLwXDprG
yc1DW03YkDP2AdDpLCq7t6nYbsqkhptUOlAFPuIHTGHQayCJPRUCV9prhHywjAKL
FOwwWrhqDF6L+noQ1/G6E4UjtCCz+wvM0P0xo/NuNsdJCFMAT2OzheuMgD96H5UB
ypC2437zGof+s2a3SydM1nlDrr95slJbjQw8uqleGXmZc/d862R45cDGahnjoCyA
Cr6tt3ZySTWPokJujhDjCAmvcyQj/bKfSnL3ebdEtVybwLmyF1mOzlx5Pon2smkO
gT0y5wcsaIJ6lLViGf6dDpMUefec78XnGxBxwldB+WzEarkBDQRbQpIkAQgApF3j
Xmo4Pn+lygxiTh58TLNz1Hmmqsd+sEZHr81o2NtFcM0mDqts53Vz//Us+5qyXNmk
EV0gH20nib7CJxv48gSN789i5uqUcdxZMx2rY5YuZRIbTOgkCKX2fUadfGIiX645
2of91HrAXpGwTqLsUL+tfPM/x3YpaLeqKb4da3dbARO7oAfcOxNdXvdm0S37swsW
v4ChLtgpx9/M6uT0FLxVcUWLinlVw2khWXPSBTbsrE1uRGTmqMC+sHnmBZLQoZrz
kf1pUlgSJJq6kUsKiVqI9MNlQ7f6cwBNEbUNYM7THKcyji0n8j64D991AG+1WP34
zsKIIKhUtL93RII/8wARAQABiQJyBBgBCAAmFiEEUTxMHbul7oa42UO9Pn4cIanR
S5cFAltCkiQCGwIFCQHhM4ABQAkQPn4cIanRS5fAdCAEGQEIAB0WIQRabIEacj4S
KHDp03wcgJAkipWXxwUCW0KSJAAKCRAcgJAkipWXx9DMB/9326kinWmCwELyJ7x/
A3qZUyIT+7jguKbJYGb8bzXdrS63FggbXSgEZCiOrQu45otEGb929nPCXum0PAg6
5uu8BfLq4ZjRI6757TmwpLvfQ+bkChGwHHZQN0EieDdeX/3oWUhLyMMsNiBiHQVN
egpvpM2htYkPxxpoVLUYL+IOKXwBoVlxM8u0+10OkLat1DM4d+WhWMOT3cJkNQQZ
v85dJ86c2T3eZ9c6gK7ZCbBv5so55q9Q9/n7I2I8XPPX+S2e4ZdmuCyiNFTab6mL
IPfNbGKwu4Muo/wZKpik2m3UnJFNdfr4Wo5wakW/92Kd44lcUlpFfBWzTPcjBdiv
f3hrfkoH/RO3h3SF6lomAOuRpsQ5VRP6uSteksXBdsQRmjTnRH6+q5W4FGpAar1S
D5nt+3ZoKINqVbIsFYMWk5eykIXTT0Y16rSNqR+RprH02DpF9bKJDYUsDSJy6Oar
3sxx+3M+FUXODrqz5OrH3gkbFg569NyNNf+xESm1F1x3lIwMwAl87/BKy96PW/NM
65s8XsEZKdf9XEhxLY8nPDcbEsUd3nCP82QlDaBA10wheYzY7gSvAx1f88X5yLyg
dZc6Fo2b+9ezviNdtiqsrIPb3mAbdv65jY/muxfbX4GWCnzEmbnoXfuNajim+4qQ
uqku4L0JTMOsjCPq9BkHQd1Kx1rnRBO5AQ0EW0KT9AEIAK6E3GSqIPUE962Bejw1
kVZNTAbCYAzOV5dmpmaj+U1ThMF4EDbun+a8LHwDUagnbEn4Z96HWJj1qGMtYUQh
WXl3AxHOpebRuSURrfUiMawhT7H536WNoeZZfcnMYr3in94PsVDu9lBLQ2Pe/VtC
2dv8cQzmlneVxirfg5p3LMeLzJLQoueGuDNyVpyyan8eZz+4CFlzas6hBFBSGdjW
yRaT7vPY284JVXIH6Vlag4q5zpNe8IdQteWBZGR5XpPhK8G7H0toRhEqqSUbuatz
GrWFmL1cBoApHbTkcFoLlSnQUt7DhKPiBSLHJIJZ0d5avhJV43ur1RaqXCQAdCvQ
DDEAEQEAAYkBPAQYAQgAJhYhBFE8TB27pe6GuNlDvT5+HCGp0UuXBQJbQpP0AhsM
BQkB4TOAAAoJED5+HCGp0UuXw5oIALku6SiOXMKD6GwsNdIa3TNqPvnVkZ1SNxGS
RTxShuMnnu0aoG/KeX+ymNyZxmuC4UFKcD/7E4p8YLqRzOvwfg46QAhTyibBLWuK
RxDZDNh9PHmEiWFVwpdUIk661HeGBt2ecoQGGS77Hw7AayqS8KdHPRPzi/AWGe9i
9WDg2fYf+w510ENlBrpukhlKmlvVHaxzg/D3O58Yuh3TYMvXp48WCtxbnnYea14i
JfBhLHn8Nm7xHCD8diH9FcNo1k0PI7lgT9dF8/dDuiR8SgYr+iMd6YHmIOLvlE9L
AKvVzNMR7BkcZAFz7JlEYdVei6zFeeoWWTwwBRa6JcmeBW0x5Wo=3D
=3Dk4pb
-----END PGP PUBLIC KEY BLOCK-----

--------------84DFD464E808500A87F476B5--

--ZfBFKNaGXA5mOuqNHtMBwfJU7XE1dk0Kb--

--K3RyAmd70woAHmro0j7eYYONkBgpLvdS7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWmyBGnI+Eihw6dN8HICQJIqVl8cFAlwc1jQACgkQHICQJIqV
l8fkBQf+NjoiLsIvJobDU/lWkH4QHN1uOVMPyTi6DC+4zvDhrUSWTXWZp7FmRAoS
HWnsqAB6ooYYwNwe/FyhWxeQZi68jC5UR82DZqsuiWZ/N/F6eD62+pERaFdZmlGl
bQABPZ+hLLfsUs1jiz/swH3kfz1trZNHzGqE9qpW+wfX0yFbe+e0fjRCxNoQLh22
NgTFbWQpz0UANjNZ9YmT/52bKt83wDT0gMu2q53RVUPyk1PtI7Q2q9MBQsmAGc7q
zb0BBDNSF5g2pKi3gnCt6e+rsRv0oQDpprl0XOqLUNqXDOVGvyOQwYfr+g6zaV3K
yRl6xrCpjmrOKI5p7Juk6SO4/w+N6w==
=KEwa
-----END PGP SIGNATURE-----

--K3RyAmd70woAHmro0j7eYYONkBgpLvdS7--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung