The “go get” implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for “://” anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 9 | all | golang-1.7 | < 1.7.4-2+deb9u1 | golang-1.7_1.7.4-2+deb9u1_all.deb |
Debian | 9 | all | golang-1.8 | < 1.8.1-1+deb9u1 | golang-1.8_1.8.1-1+deb9u1_all.deb |