Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-2592-1:6DFC9
HistoryMar 13, 2021 - 6:37 p.m.

[SECURITY] [DLA 2592-1] golang-1.8 security update

2021-03-1318:37:54
lists.debian.org
46

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.6%

JSON

Debian LTS Advisory DLA-2592-1 [email protected]
https://www.debian.org/lts/security/ Sylvain Beucler
March 13, 2021 https://wiki.debian.org/LTS

Package : golang-1.8
Version : 1.8.1-1+deb9u3
CVE ID : CVE-2017-15041 CVE-2018-16873 CVE-2018-16874 CVE-2019-9741
CVE-2019-16276 CVE-2019-17596 CVE-2021-3114
Debian Bug : 924630 941173 942628 942629

Several vulnerabilities were discovered in the Go programming
language. An attacker could trigger a denial-of-service (DoS), bypasss
access control, and execute arbitrary code on the developer's
computer.

CVE-2017-15041

 Go allows "go get" remote command execution. Using custom
 domains, it is possible to arrange things so that
 example.com/pkg1 points to a Subversion repository but
 example.com/pkg1/pkg2 points to a Git repository. If the
 Subversion repository includes a Git checkout in its pkg2
 directory and some other work is done to ensure the proper
 ordering of operations, "go get" can be tricked into reusing this
 Git checkout for the fetch of code from pkg2. If the Subversion
 repository's Git checkout has malicious commands in .git/hooks/,
 they will execute on the system running "go get."

CVE-2018-16873

The "go get" command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, as it may treat the parent directory as a Git repository
root, containing malicious configuration.

CVE-2018-16874

The "go get" command is vulnerable to directory traversal when
executed with the import path of a malicious Go package which
contains curly braces (both '{' and '}' characters). The attacker
can cause an arbitrary filesystem write, which can lead to code
execution.

CVE-2019-9741

In net/http, CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.

CVE-2019-16276

Go allows HTTP Request Smuggling.

CVE-2019-17596

Go can panic upon an attempt to process network traffic containing
an invalid DSA public key. There are several attack scenarios,
such as traffic from a client to a server that verifies client
certificates.

CVE-2021-3114

crypto/elliptic/p224.go can generate incorrect outputs, related to
an underflow of the lowest limb during the final complete
reduction in the P-224 field.

For Debian 9 stretch, these problems have been fixed in version
1.8.1-1+deb9u3.

We recommend that you upgrade your golang-1.8 packages.

For the detailed security status of golang-1.8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.8

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9i386golang-1.7-go< 1.7.4-2+deb9u3golang-1.7-go_1.7.4-2+deb9u3_i386.deb
Debian8allgolang-go-freebsd-386< 2:1.3.3-1+deb8u2golang-go-freebsd-386_2:1.3.3-1+deb8u2_all.deb
Debian9allgolang-1.8< 1.8.1-1+deb9u3golang-1.8_1.8.1-1+deb9u3_all.deb
Debian9armhfgolang-1.8-go< 1.8.1-1+deb9u3golang-1.8-go_1.8.1-1+deb9u3_armhf.deb
Debian9allgolang-1.7-doc< 1.7.4-2+deb9u3golang-1.7-doc_1.7.4-2+deb9u3_all.deb
Debian8armelgolang-go-linux-386< 2:1.3.3-1+deb8u2golang-go-linux-386_2:1.3.3-1+deb8u2_armel.deb
Debian8i386golang-go-linux-386< 2:1.3.3-1+deb8u2golang-go-linux-386_2:1.3.3-1+deb8u2_i386.deb
Debian9armhfgolang-1.7-src< 1.7.4-2+deb9u3golang-1.7-src_1.7.4-2+deb9u3_armhf.deb
Debian8armelgolang-go-linux-arm< 2:1.3.3-1+deb8u2golang-go-linux-arm_2:1.3.3-1+deb8u2_armel.deb
Debian8allgolang-go-windows-amd64< 2:1.3.3-1+deb8u2golang-go-windows-amd64_2:1.3.3-1+deb8u2_all.deb
Rows per page:
1-10 of 581

Related

nessus 49
openvas 40
osv 13
debian 5
suse 14
ibm 9
oraclelinux 2
redhat 4
fedora 9
mageia 3
gentoo 1
archlinux 6
arista 2
amazon 3
photon 3
veracode 6
prion 4
debiancve 3
redhatcve 5
cve 6
ubuntucve 4
altlinux 2
cloudfoundry 2
symantec 1
githubexploit 1
filippoio 1
alpinelinux 1
nessus
nessus
Debian DLA-2592-1 : golang-1.8 security update
2021-03-15 00:00:00
Debian DLA-2591-1 : golang-1.7 security update
2021-03-15 00:00:00
RHEL 8 : go-toolset:rhel8 (RHSA-2020:0329)
2020-02-05 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-2591-1)
2021-03-14 00:00:00
Debian: Security Advisory (DLA-2592-1)
2021-03-14 00:00:00
openSUSE: Security Advisory for go1.12 (openSUSE-SU-2019:2522-1)
2020-01-09 00:00:00
osv
osv
golang-1.8 - security update
2021-03-13 00:00:00
golang-1.7 - security update
2021-03-13 00:00:00
golang - security update
2017-10-27 00:00:00
debian
debian
[SECURITY] [DLA 2591-1] golang-1.7 security update
2021-03-13 18:37:17
[SECURITY] [DLA 1148-1] golang security update
2017-10-27 15:43:41
[SECURITY] [DLA 1749-1] golang security update
2019-04-03 15:14:12
suse
suse
Security update for go1.12 (moderate)
2019-11-17 00:00:00
Security update for go1.12 (moderate)
2019-11-17 00:00:00
Security update for helm (moderate)
2019-07-14 00:00:00
ibm
ibm
Security Bulletin: IBM API Connect is impacted by vulnerabilities in Golang (CVE-2019-17596 CVE-2019-16276)
2020-02-27 19:03:56
Security Bulletin: IBM Cloud Private for Data is affected by multiple vulnerabilties in Go Language (CVE-2018-16874, CVE-2018-16873, CVE-2018-16875)
2019-10-03 22:50:40
Security Bulletin: Multiple Vulnerabilities in Go affects IBM Watson Studio Local
2019-12-20 13:58:07
oraclelinux
oraclelinux
go-toolset:ol8 security update
2020-02-17 00:00:00
go-toolset:rhel8 security update
2019-07-30 00:00:00
redhat
redhat
(RHSA-2020:0101) Moderate: go-toolset-1.12-golang security update
2020-01-14 08:24:12
(RHSA-2020:0329) Moderate: go-toolset:rhel8 security update
2020-02-04 08:35:13
(RHSA-2019:1300) Moderate: go-toolset-1.11-golang security update
2019-05-30 15:16:14
fedora
fedora
[SECURITY] Fedora 29 Update: golang-1.11.6-1.fc29
2019-04-10 07:36:54
[SECURITY] Fedora 29 Update: golang-1.11.13-2.fc29
2019-10-14 16:48:25
[SECURITY] Fedora 28 Update: golang-1.10.7-1.fc28
2019-01-11 03:00:42
mageia
mageia
Updated docker packages fix security vulnerability
2019-05-19 14:27:30
Updated golang packages fix security vulnerability
2019-02-13 14:08:25
Updated golang packages fix security vulnerability
2019-11-02 19:54:34
gentoo
gentoo
Go: Multiple vulnerabilities
2018-12-21 00:00:00
archlinux
archlinux
[ASA-201812-12] go-pie: multiple issues
2018-12-18 00:00:00
[ASA-201812-11] go: multiple issues
2018-12-18 00:00:00
[ASA-201910-12] go: denial of service
2019-10-21 00:00:00
arista
arista
Security Advisory 0039
2019-01-16 00:00:00
Security Advisory 0046
2020-03-23 00:00:00
amazon
amazon
Important: golang
2018-12-14 18:50:00
Medium: golang
2019-07-17 23:28:00
Medium: golang
2019-10-21 18:01:00
photon
photon
Critical Photon OS Security Update - PHSA-2019-0023
2019-07-04 00:00:00
Critical Photon OS Security Update - PHSA-2019-3.0-0023
2019-07-03 00:00:00
Critical Photon OS Security Update - PHSA-2019-0037
2019-11-01 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2017-10-06 01:57:43
Remote Code Execution (RCE)
2019-01-15 09:20:33
CRLF Injection
2019-03-15 01:13:53
prion
prion
Crlf injection
2019-03-13 08:29:00
Directory traversal
2018-12-14 14:29:00
Design/Logic Flaw
2017-10-05 21:29:00
debiancve
debiancve
CVE-2019-9741
2019-03-13 08:29:00
CVE-2019-17596
2019-10-24 22:15:00
CVE-2017-15041
2017-10-05 21:29:00
redhatcve
redhatcve
CVE-2019-9741
2019-10-10 17:51:39
CVE-2018-16874
2018-12-14 02:21:18
CVE-2019-17596
2021-08-17 05:31:43
cve
cve
CVE-2019-9741
2019-03-13 08:29:00
CVE-2018-16874
2018-12-14 14:29:00
CVE-2017-15041
2017-10-05 21:29:00
ubuntucve
ubuntucve
CVE-2019-9741
2019-03-13 00:00:00
CVE-2017-15041
2017-10-05 00:00:00
CVE-2019-17596
2019-10-24 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.12.11-alt1
2019-11-06 00:00:00
Security fix for the ALT Linux 10 package golang version 1.13.4-alt1
2019-11-06 00:00:00
cloudfoundry
cloudfoundry
CVE-2019-17596: x509 parsing in Golang can cause panic | Cloud Foundry
2019-12-16 00:00:00
CVE-2019-17596: x509 parsing in Golang can cause panic | Cloud Foundry
2019-12-16 00:00:00
symantec
symantec
Golang Go CVE-2019-17596 Remote Denial of Service Vulnerability
2019-10-15 00:00:00
githubexploit
githubexploit
Exploit for Interpretation Conflict in Golang Go
2019-10-19 23:32:02
filippoio
filippoio
DSA Is Past Its Prime
2020-07-03 22:00:00
alpinelinux
alpinelinux
CVE-2019-17596
2019-10-24 22:15:00

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.6%

JSON
Related for DEBIAN:DLA-2592-1:6DFC9
nessus49openvas40osv13debian5suse14ibm9oraclelinux2redhat4fedora9mageia3gentoo1archlinux6arista2amazon3photon3veracode6prion4debiancve3redhatcve5cve6ubuntucve4altlinux2cloudfoundry2symantec1githubexploit1filippoio1alpinelinux1