Lucene search

K
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2017-15042
HistoryOct 05, 2017 - 9:29 p.m.

CVE-2017-15042

2017-10-0521:29:00
Debian Security Bug Tracker
security-tracker.debian.org
16

EPSS

0.003

Percentile

68.9%

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn’t advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

OSVersionArchitecturePackageVersionFilename
Debian9allgolang-1.7<= 1.7.4-2+deb9u1golang-1.7_1.7.4-2+deb9u1_all.deb
Debian9allgolang-1.8<= 1.8.1-1+deb9u1golang-1.8_1.8.1-1+deb9u1_all.deb