101196

RHSA-2017:3463

RHSA-2018:0878

https://github.com/golang/go/issues/22125

https://golang.org/cl/68022

https://golang.org/cl/68190

https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

GLSA-201710-23

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has golang packages installed that are affected by multiple vulnerabilities:

  - An arbitrary command execution flaw was found in the way     Go's go get command handled the checkout of source     code repositories. A remote attacker capable of hosting     malicious repositories could potentially use this flaw     to cause arbitrary command execution on the client side.
    (CVE-2017-15041)

  - It was found that smtp.PlainAuth authentication scheme     in Go did not verify the TLS requirement properly. A     remote man-in-the-middle attacker could potentially use     this flaw to sniff SMTP credentials sent by a Go     application. (CVE-2017-15042)

  - An arbitrary command execution flaw was found in the way     Go's go get command handled gcc and clang sensitive     options during the build. A remote attacker capable of     hosting malicious repositories could potentially use     this flaw to cause arbitrary command execution on the     client side. (CVE-2018-6574)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

An update of [go,curl,libtiff,systemd,bash] packages for PhotonOS has been released.

Arbitrary code execution during go get or go get -d

Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, 'go get' can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running 'go get.'(CVE-2017-15041)

smtp.PlainAuth susceptible to man-in-the-middle password harvesting

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.(CVE-2017-15042)

Arbitrary code execution during 'go get' via C compiler options

An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.(CVE-2018-6574)

The following packages have been upgraded to a later upstream version:
golang (1.9.4).

Security Fix(es) :

  - golang: arbitrary code execution during 'go get' or 'go     get -d' (CVE-2017-15041)

  - golang: smtp.PlainAuth susceptible to man-in-the-middle     password harvesting (CVE-2017-15042)

  - golang: arbitrary code execution during 'go get' via C     compiler options (CVE-2018-6574)

Additional Changes :

An update for golang is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The golang packages provide the Go programming language compiler.

The following packages have been upgraded to a later upstream version:
golang (1.9.4). (BZ#1479095, BZ#1499827)

Security Fix(es) :

* golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041)

* golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042)

* golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Security fix for CVE-2017-15041 and CVE-2017-15042

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for go-toolset-7 and go-toolset-7-golang is now available for Red Hat Developer Tools.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Go Toolset provides the Go programming language tools and libraries.
Go is alternatively known as golang.

Security Fix(es) :

* An arbitrary command execution flaw was found in the way Go's 'go get' command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2017-15041)

* It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application. (CVE-2017-15042)

Bug Fix(es) :

* Previously, the enable script for the go-toolset-7 Software Collection incorrectly set the GOPATH environment variable to a directory that required root permissions for write operations. As a consequence, the go compiler terminated unexpectedly when performing certain commands. The enable script has been changed to handle GOPATH correctly, and the described problem no longer occurs. (BZ#1512013)

According to the version of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get'     remote command execution. Using custom domains, it is     possible to arrange things so that example.com/pkg1     points to a Subversion repository but     example.com/pkg1/pkg2 points to a Git repository. If     the Subversion repository includes a Git checkout in     its pkg2 directory and some other work is done to     ensure the proper ordering of operations, 'go get' can     be tricked into reusing this Git checkout for the fetch     of code from pkg2. If the Subversion repository's Git     checkout has malicious commands in .git/hooks/, they     will execute on the system running 'go     get.'(CVE-2017-15041)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Arbitrary code execution during go get or go get -d :

Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, 'go get' can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running 'go get.' (CVE-2017-15041)

smtp.PlainAuth susceptible to man-in-the-middle password harvesting

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. (CVE-2017-15042)

Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, 'go get' can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running 'go get.'

For Debian 7 'Wheezy', these problems have been fixed in version 2:1.0.2-1.1+deb7u2.

We recommend that you upgrade your golang packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201710-23 (Go: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Go. Please review the       references below for details.
  Impact :

    Remote attackers could execute arbitrary Go commands or conduct a man in       the middle attack.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
127229	NewStart CGSL CORE 5.04 / MAIN 5.04 : golang Multiple Vulnerabilities (NS-SA-2019-0047)	Nessus	NewStart CGSL Local Security Checks	high
121762	Photon OS 2.0: Go PHSA-2017-0045	Nessus	PhotonOS Local Security Checks	high
111894	Photon OS 2.0: Bash / Curl / Go / Libtiff / Systemd PHSA-2017-0045 (deprecated)	Nessus	PhotonOS Local Security Checks	high
109690	Amazon Linux 2 : golang (ALAS-2018-1011)	Nessus	Amazon Linux Local Security Checks	high
109448	Scientific Linux Security Update : golang on SL7.x (noarch) (20180410)	Nessus	Scientific Linux Local Security Checks	high
109376	CentOS 7 : golang (CESA-2018:0878)	Nessus	CentOS Local Security Checks	high
108990	RHEL 7 : golang (RHSA-2018:0878)	Nessus	Red Hat Local Security Checks	high
106006	Fedora 27 : golang (2017-f4fc897e8f)	Nessus	Fedora Local Security Checks	high
105367	RHEL 7 : go-toolset-7 and go-toolset-7-golang (RHSA-2017:3463)	Nessus	Red Hat Local Security Checks	high
104929	EulerOS 2.0 SP2 : golang (EulerOS-SA-2017-1311)	Nessus	Huawei Local Security Checks	high
104392	Amazon Linux AMI : golang (ALAS-2017-918)	Nessus	Amazon Linux Local Security Checks	high
104220	Debian DLA-1148-1 : golang security update	Nessus	Debian Local Security Checks	high
104066	GLSA-201710-23 : Go: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
103997	Fedora 25 : golang (2017-8f7bca960b)	Nessus	Fedora Local Security Checks	high
103899	Fedora 26 : golang (2017-6f1b90dbb7)	Nessus	Fedora Local Security Checks	high

CVE-2017-15041

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins