Showing 1 - 3 of 3

CVE-2017-15041

Status Candidate

Overview

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

Related Files

Red Hat Security Advisory 2018-0878-01: Posted Apr 11, 2018; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2018-0878-01 - The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang. Issues addressed include code execution and man-in-the-middle vulnerabilities.; tags | advisory, vulnerability, code execution; systems | linux, redhat; advisories | CVE-2017-15041, CVE-2017-15042, CVE-2018-6574; SHA-256 | 84e77989cb2190ac86368255138b87806529f989952794173977bdaf94eee7ed; Download | Favorite | View

Red Hat Security Advisory 2017-3463-01: Posted Dec 14, 2017; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2017-3463-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application.; tags | advisory, remote, arbitrary; systems | linux, redhat; advisories | CVE-2017-15041, CVE-2017-15042; SHA-256 | 34fc4cb4409bacd861fabab79b86a4ada6ca60f08cdf7237d43f8b4401e9eae2; Download | Favorite | View

Gentoo Linux Security Advisory 201710-23: Posted Oct 23, 2017; Authored by Gentoo | Site security.gentoo.org; Gentoo Linux Security Advisory 201710-23 - Multiple vulnerabilities have been found in Go, the worst of which may result in the execution of arbitrary commands. Versions less than 1.9.1 are affected.; tags | advisory, arbitrary, vulnerability; systems | linux, gentoo; advisories | CVE-2017-15041, CVE-2017-15042; SHA-256 | bf94b265f8846c16e26ea3dc339c3f0268d4a939482de4292f29ffc877facace; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

CVE-2017-15041

Overview

Related Files

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems