You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa Go

Sigurnosni nedostaci programskog paketa Go

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LGE

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201812-09
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background
==========

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-lang/go < 1.10.7 >= 1.10.7

Description
===========

Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
======

A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the ‘go get -u’ command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Go users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-lang/go-1.10.7”

References
==========

[ 1 ] CVE-2018-16873
https://nvd.nist.gov/vuln/detail/CVE-2018-16873
[ 2 ] CVE-2018-16874
https://nvd.nist.gov/vuln/detail/CVE-2018-16874
[ 3 ] CVE-2018-16875
https://nvd.nist.gov/vuln/detail/CVE-2018-16875

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201812-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

<html>
<head>

<meta http-equiv=”content-type” content=”text/html; charset=UTF-8″>
</head>
<body text=”#000000″ bgcolor=”#FFFFFF”>
<pre style=”color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; overflow-wrap: break-word; white-space: pre-wrap;”>- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201812-09
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
<a class=”moz-txt-link-freetext” href=”https://security.gentoo.org/”>https://security.gentoo.org/</a>
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Go: Multiple vulnerabilities
Date: December 21, 2018
Bugs: #673234
ID: 201812-09

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

Multiple vulnerabilities have been found in Go, the worst which could
lead to the execution of arbitrary code.

Background
==========

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-lang/go < 1.10.7 >= 1.10.7

Description
===========

Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
======

A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the ‘go get -u’ command.

The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Go users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-lang/go-1.10.7”

References
==========

[ 1 ] CVE-2018-16873
<a class=”moz-txt-link-freetext” href=”https://nvd.nist.gov/vuln/detail/CVE-2018-16873″>https://nvd.nist.gov/vuln/detail/CVE-2018-16873</a>
[ 2 ] CVE-2018-16874
<a class=”moz-txt-link-freetext” href=”https://nvd.nist.gov/vuln/detail/CVE-2018-16874″>https://nvd.nist.gov/vuln/detail/CVE-2018-16874</a>
[ 3 ] CVE-2018-16875
<a class=”moz-txt-link-freetext” href=”https://nvd.nist.gov/vuln/detail/CVE-2018-16875″>https://nvd.nist.gov/vuln/detail/CVE-2018-16875</a>

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

<a class=”moz-txt-link-freetext” href=”https://security.gentoo.org/glsa/201812-09″>https://security.gentoo.org/glsa/201812-09</a>

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
<a class=”moz-txt-link-abbreviated” href=”mailto:security@gentoo.org”>security@gentoo.org</a> or alternatively, you may file a bug at
<a class=”moz-txt-link-freetext” href=”https://bugs.gentoo.org”>https://bugs.gentoo.org</a>.

License
=======

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

<a class=”moz-txt-link-freetext” href=”https://creativecommons.org/licenses/by-sa/2.5″>https://creativecommons.org/licenses/by-sa/2.5</a></pre>
</body>
</html>
—–BEGIN PGP PUBLIC KEY BLOCK—–

mQENBFtCkdwBCAC7LGb65KM8ZhysEDzbBnggTsUMXMZ3pJWFQtLaxm8f99p2HL9G
FcEP94A6BXExWzMcIba/AdL0ogU2mS/Jbs7DHUFVRT3yQDtiq+md5h3hZvi52QyR
lELWG9ElDLuUse5E58WJgLx+SXD5qgUowqTgCzNbXAJQNKQtNWIC+Zy29m53Xj8y
BnRsRuwd0kO/Zn7DJL5dCKL2ItzfJNpG5MTayLyNkl3QgCqPPFsQEd7aqqqhxq1p
n/dwX22vyMJwsv/6SV5vaNTYSg9p8hVnr3mLVYg6/UIvwAIgNJKhQlG1bkoOq5+j
gq8a7GdRUeY8fHSqLERucmal8fBqWmvZH+jRABEBAAG0Ik1pa2xlIEtvbHlhZGEg
PHpsb2dlbmVAZ2VudG9vLm9yZz6JAVQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AWIQRRPEwdu6XuhrjZQ70+fhwhqdFLlwUCW2fApgUJBEPeygAKCRA+
fhwhqdFLl7CeB/9qYF51wrMuzpLW/znrH0YZmYo9pm7kmLxbWezJH74hH97rJOer
X+RoNR0nAGrBdZzObiHWhXah5BFrln8Fyv8oE5IDnO9OCN+PE8hXSSSYv6VvtNX6
FXgMaqvRXC5kd1/ugvpPmwbbfTp0uasRATjlsXSfb7FAMLAcP2lYbv1dFA2mUHNC
tFtIg7Zu+KJTXyeNwPEXrMtgt4j3zL96Drq1AOxkR5D5pPYnzJG+xrOpRoarXVjC
I6MsYYKd+E6WRQPIgkeY4mxKFBK3sSNQMAY+FNiWNK3G4529zCLzekv4KQHDSRnf
OhfevOogiUCnNUWl9pRDI7uRfSjP0JZwwLi2iQFUBBMBCAA+FiEEUTxMHbul7oa4
2UO9Pn4cIanRS5cFAltCkdwCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQPn4cIanRS5dyZAgAhPdVONCC3WnRpGu6wQjPEbuzD002MxSPgLwXDprG
yc1DW03YkDP2AdDpLCq7t6nYbsqkhptUOlAFPuIHTGHQayCJPRUCV9prhHywjAKL
FOwwWrhqDF6L+noQ1/G6E4UjtCCz+wvM0P0xo/NuNsdJCFMAT2OzheuMgD96H5UB
ypC2437zGof+s2a3SydM1nlDrr95slJbjQw8uqleGXmZc/d862R45cDGahnjoCyA
Cr6tt3ZySTWPokJujhDjCAmvcyQj/bKfSnL3ebdEtVybwLmyF1mOzlx5Pon2smkO
gT0y5wcsaIJ6lLViGf6dDpMUefec78XnGxBxwldB+WzEarkBDQRbQpIkAQgApF3j
Xmo4Pn+lygxiTh58TLNz1Hmmqsd+sEZHr81o2NtFcM0mDqts53Vz//Us+5qyXNmk
EV0gH20nib7CJxv48gSN789i5uqUcdxZMx2rY5YuZRIbTOgkCKX2fUadfGIiX645
2of91HrAXpGwTqLsUL+tfPM/x3YpaLeqKb4da3dbARO7oAfcOxNdXvdm0S37swsW
v4ChLtgpx9/M6uT0FLxVcUWLinlVw2khWXPSBTbsrE1uRGTmqMC+sHnmBZLQoZrz
kf1pUlgSJJq6kUsKiVqI9MNlQ7f6cwBNEbUNYM7THKcyji0n8j64D991AG+1WP34
zsKIIKhUtL93RII/8wARAQABiQJyBBgBCAAmFiEEUTxMHbul7oa42UO9Pn4cIanR
S5cFAltCkiQCGwIFCQHhM4ABQAkQPn4cIanRS5fAdCAEGQEIAB0WIQRabIEacj4S
KHDp03wcgJAkipWXxwUCW0KSJAAKCRAcgJAkipWXx9DMB/9326kinWmCwELyJ7x/
A3qZUyIT+7jguKbJYGb8bzXdrS63FggbXSgEZCiOrQu45otEGb929nPCXum0PAg6
5uu8BfLq4ZjRI6757TmwpLvfQ+bkChGwHHZQN0EieDdeX/3oWUhLyMMsNiBiHQVN
egpvpM2htYkPxxpoVLUYL+IOKXwBoVlxM8u0+10OkLat1DM4d+WhWMOT3cJkNQQZ
v85dJ86c2T3eZ9c6gK7ZCbBv5so55q9Q9/n7I2I8XPPX+S2e4ZdmuCyiNFTab6mL
IPfNbGKwu4Muo/wZKpik2m3UnJFNdfr4Wo5wakW/92Kd44lcUlpFfBWzTPcjBdiv
f3hrfkoH/RO3h3SF6lomAOuRpsQ5VRP6uSteksXBdsQRmjTnRH6+q5W4FGpAar1S
D5nt+3ZoKINqVbIsFYMWk5eykIXTT0Y16rSNqR+RprH02DpF9bKJDYUsDSJy6Oar
3sxx+3M+FUXODrqz5OrH3gkbFg569NyNNf+xESm1F1x3lIwMwAl87/BKy96PW/NM
65s8XsEZKdf9XEhxLY8nPDcbEsUd3nCP82QlDaBA10wheYzY7gSvAx1f88X5yLyg
dZc6Fo2b+9ezviNdtiqsrIPb3mAbdv65jY/muxfbX4GWCnzEmbnoXfuNajim+4qQ
uqku4L0JTMOsjCPq9BkHQd1Kx1rnRBO5AQ0EW0KT9AEIAK6E3GSqIPUE962Bejw1
kVZNTAbCYAzOV5dmpmaj+U1ThMF4EDbun+a8LHwDUagnbEn4Z96HWJj1qGMtYUQh
WXl3AxHOpebRuSURrfUiMawhT7H536WNoeZZfcnMYr3in94PsVDu9lBLQ2Pe/VtC
2dv8cQzmlneVxirfg5p3LMeLzJLQoueGuDNyVpyyan8eZz+4CFlzas6hBFBSGdjW
yRaT7vPY284JVXIH6Vlag4q5zpNe8IdQteWBZGR5XpPhK8G7H0toRhEqqSUbuatz
GrWFmL1cBoApHbTkcFoLlSnQUt7DhKPiBSLHJIJZ0d5avhJV43ur1RaqXCQAdCvQ
DDEAEQEAAYkBPAQYAQgAJhYhBFE8TB27pe6GuNlDvT5+HCGp0UuXBQJbQpP0AhsM
BQkB4TOAAAoJED5+HCGp0UuXw5oIALku6SiOXMKD6GwsNdIa3TNqPvnVkZ1SNxGS
RTxShuMnnu0aoG/KeX+ymNyZxmuC4UFKcD/7E4p8YLqRzOvwfg46QAhTyibBLWuK
RxDZDNh9PHmEiWFVwpdUIk661HeGBt2ecoQGGS77Hw7AayqS8KdHPRPzi/AWGe9i
9WDg2fYf+w510ENlBrpukhlKmlvVHaxzg/D3O58Yuh3TYMvXp48WCtxbnnYea14i
JfBhLHn8Nm7xHCD8diH9FcNo1k0PI7lgT9dF8/dDuiR8SgYr+iMd6YHmIOLvlE9L
AKvVzNMR7BkcZAFz7JlEYdVei6zFeeoWWTwwBRa6JcmeBW0x5Wo=
=k4pb
—–END PGP PUBLIC KEY BLOCK—–
—–BEGIN PGP SIGNATURE—–

iQEzBAEBCAAdFiEEWmyBGnI+Eihw6dN8HICQJIqVl8cFAlwc1jQACgkQHICQJIqV
l8fkBQf+NjoiLsIvJobDU/lWkH4QHN1uOVMPyTi6DC+4zvDhrUSWTXWZp7FmRAoS
HWnsqAB6ooYYwNwe/FyhWxeQZi68jC5UR82DZqsuiWZ/N/F6eD62+pERaFdZmlGl
bQABPZ+hLLfsUs1jiz/swH3kfz1trZNHzGqE9qpW+wfX0yFbe+e0fjRCxNoQLh22
NgTFbWQpz0UANjNZ9YmT/52bKt83wDT0gMu2q53RVUPyk1PtI7Q2q9MBQsmAGc7q
zb0BBDNSF5g2pKi3gnCt6e+rsRv0oQDpprl0XOqLUNqXDOVGvyOQwYfr+g6zaV3K
yRl6xrCpjmrOKI5p7Juk6SO4/w+N6w==
=KEwa
—–END PGP SIGNATURE—–

AutorToni Vugdelija
Cert idNCERT-REF-2018-12-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa keepalived

Otkriveni su sigurnosni nedostaci u programskom paketu keepalived za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog...

Close