golang-1.7 (1.7.4-2+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* CVE-2017-15041: Go allows "go get" remote command execution. Using
custom domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the Subversion
repository includes a Git checkout in its pkg2 directory and some
other work is done to ensure the proper ordering of operations, "go
get" can be tricked into reusing this Git checkout for the fetch of
code from pkg2. If the Subversion repository's Git checkout has
malicious commands in .git/hooks/, they will execute on the system
running "go get."
* CVE-2018-16873: the "go get" command is vulnerable to remote code
execution when executed with the -u flag and the import path of a
malicious Go package, as it may treat the parent directory as a Git
repository root, containing malicious configuration.
* CVE-2018-16874: the "go get" command is vulnerable to directory
traversal when executed with the import path of a malicious Go package
which contains curly braces (both '{' and '}' characters). The
attacker can cause an arbitrary filesystem write, which can lead to
code execution.
* CVE-2019-9741: in net/http, CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.
* CVE-2019-16276: Go allows HTTP Request Smuggling.
* CVE-2019-17596: Go can panic upon an attempt to process network
traffic containing an invalid DSA public key. There are several attack
scenarios, such as traffic from a client to a server that verifies
client certificates.
* CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs,
related to an underflow of the lowest limb during the final complete
reduction in the P-224 field.
[dgit import unpatched golang-1.7 1.7.4-2+deb9u3]
39 files changed:
projects / golang-1.7.git / commit