{"id": "PHOTONOS_PHSA-2018-2_0-0034.NASL", "bulletinFamily": "scanner", "title": "Photon OS 2.0 : go (PhotonOS-PHSA-2018-2.0-0034) (deprecated)", "description": "An update of {'go'} packages of Photon OS has been released.", "published": "2018-07-24T00:00:00", "modified": "2019-02-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=111295", "reporter": "Tenable", "references": ["http://www.nessus.org/u?61c96778"], "cvelist": ["CVE-2018-7187"], "type": "nessus", "lastseen": "2019-02-08T12:47:39", "edition": 4, "viewCount": 0, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2019-02-08T12:47:39", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-7187"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:4306-1", "OPENSUSE-SU-2018:1811-1", "OPENSUSE-SU-2018:1807-1", "OPENSUSE-SU-2018:4302-1"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1294.NASL", "PHOTONOS_PHSA-2018-1_0-0123_GO.NASL", "OPENSUSE-2018-672.NASL", "ALA_ALAS-2018-975.NASL", "OPENSUSE-2019-482.NASL", "GENTOO_GLSA-201804-12.NASL", "FEDORA_2018-FE65C14082.NASL", "PHOTONOS_PHSA-2018-1_0-0123.NASL", "DEBIAN_DSA-4379.NASL", "PHOTONOS_PHSA-2018-2_0-0034_GO.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310874258", "OPENVAS:1361412562310851798", "OPENVAS:1361412562310704379", "OPENVAS:1361412562310852218", "OPENVAS:1361412562310891294", "OPENVAS:1361412562310704380"]}, {"type": "gentoo", "idList": ["GLSA-201804-12"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4379-1:C92FB", "DEBIAN:DLA-1294-1:4E0F9", "DEBIAN:DSA-4380-1:D1988"]}, {"type": "fedora", "idList": ["FEDORA:494C2601C687", "FEDORA:AC0546074A4F"]}, {"type": "amazon", "idList": ["ALAS-2018-975"]}], "modified": "2019-02-08T12:47:39", "rev": 2}, "vulnersScore": 6.8}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0034. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111295);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:50\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"Photon OS 2.0 : go (PhotonOS-PHSA-2018-2.0-0034) (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of {'go'} packages of Photon OS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-2-34\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?61c96778\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7187\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:go\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"go-1.9.4-2.ph2\",\n \"go-debuginfo-1.9.4-2.ph2\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go\");\n}\n", "naslFamily": "PhotonOS Local Security Checks", "pluginID": "111295", "cpe": ["p-cpe:/a:vmware:photonos:go", "cpe:/o:vmware:photonos:2.0"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T20:25:46", "description": "The \"go get\" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-16T17:29:00", "title": "CVE-2018-7187", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": true}, "cvelist": ["CVE-2018-7187"], "modified": "2019-02-28T18:37:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-7187", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7187", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}], "suse": [{"lastseen": "2018-06-23T17:16:09", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "description": "This update for go1.9 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-7187: arbitrary command execution via VCS path (boo#1081495)\n\n Non-security changes:\n\n - Update to version 1.9.7\n - fixes to the go command and compiler\n - minimal support to the go command for the vgo transition\n\n", "edition": 1, "modified": "2018-06-23T15:10:51", "published": "2018-06-23T15:10:51", "id": "OPENSUSE-SU-2018:1811-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00047.html", "title": "Security update for go1.9 (moderate)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-06-23T17:16:09", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "description": "This update for go1.9 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-7187: arbitrary command execution via VCS path (boo#1081495)\n\n Non-security changes:\n\n - Update to version 1.9.7\n - fixes to the go command and compiler\n - minimal support to the go command for the vgo transition\n\n", "edition": 1, "modified": "2018-06-23T15:09:15", "published": "2018-06-23T15:09:15", "id": "OPENSUSE-SU-2018:1807-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00045.html", "title": "Security update for go1.9 (moderate)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-30T14:02:10", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "description": "This update for go fixes the following issues:\n\n - golang: arbitrary command execution via VCS path (bsc#1081495,\n CVE-2018-7187)\n - Make profile.d/go.sh no longer set GOROOT=, in order to make switching\n between versions no longer break. This ends up removing the need for\n go.sh entirely (because GOPATH is also set automatically) (boo#1119634)\n - Fix a regression that broke go get for import path patterns containing\n &quot;...&quot; (bsc#1119706)\n\n Additionally, the package go1.10 has been added.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-12-29T15:09:17", "published": "2018-12-29T15:09:17", "id": "OPENSUSE-SU-2018:4302-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00074.html", "title": "Security update for go (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-30T14:02:10", "bulletinFamily": "unix", "cvelist": ["CVE-2018-16875", "CVE-2018-7187", "CVE-2018-16874", "CVE-2018-16873"], "description": "This update for containerd, docker and go fixes the following issues:\n\n containerd and docker:\n\n - Add backport for building containerd (bsc#1102522, bsc#1113313)\n - Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce.\n (bsc#1102522)\n - Enable seccomp support (fate#325877)\n - Update to containerd v1.1.1, which is the required version for the\n Docker v18.06.0-ce upgrade. (bsc#1102522)\n - Put containerd under the podruntime slice (bsc#1086185)\n - 3rd party registries used the default Docker certificate (bsc#1084533)\n - Handle build breakage due to missing 'export GOPATH' (caused by\n resolution of boo#1119634). I believe Docker is one of the only packages\n with this problem.\n\n go:\n\n - golang: arbitrary command execution via VCS path (bsc#1081495,\n CVE-2018-7187)\n - Make profile.d/go.sh no longer set GOROOT=, in order to make switching\n between versions no longer break. This ends up removing the need for\n go.sh entirely (because GOPATH is also set automatically) (boo#1119634)\n - Fix a regression that broke go get for import path patterns containing\n &quot;...&quot; (bsc#1119706)\n\n Additionally, the package go1.10 has been added.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-12-29T15:14:16", "published": "2018-12-29T15:14:16", "id": "OPENSUSE-SU-2018:4306-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00076.html", "title": "Security update for containerd, docker and go (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-04T16:41:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "description": "The remote host is missing an update for the ", "modified": "2020-06-03T00:00:00", "published": "2018-06-24T00:00:00", "id": "OPENVAS:1361412562310851798", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851798", "type": "openvas", "title": "openSUSE: Security Advisory for go1.9 (openSUSE-SU-2018:1811-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851798\");\n script_version(\"2020-06-03T08:38:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 08:38:58 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-24 05:45:54 +0200 (Sun, 24 Jun 2018)\");\n script_cve_id(\"CVE-2018-7187\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for go1.9 (openSUSE-SU-2018:1811-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'go1.9'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for go1.9 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-7187: arbitrary command execution via VCS path (boo#1081495)\n\n Non-security changes:\n\n - Update to version 1.9.7\n\n - fixes to the go command and compiler\n\n - minimal support to the go command for the vgo transition\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-672=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-672=1\");\n\n script_tag(name:\"affected\", value:\"go1.9 on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1811-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00047.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"go\", rpm:\"go~1.9.7~37.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go-doc\", rpm:\"go-doc~1.9.7~37.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go1.9\", rpm:\"go1.9~1.9.7~10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go1.9-doc\", rpm:\"go1.9-doc~1.9.7~10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go-race\", rpm:\"go-race~1.9.7~37.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go1.9-race\", rpm:\"go1.9-race~1.9.7~10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-03-21T00:00:00", "id": "OPENVAS:1361412562310874258", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874258", "type": "openvas", "title": "Fedora Update for golang FEDORA-2018-c38e40a4bf", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_c38e40a4bf_golang_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for golang FEDORA-2018-c38e40a4bf\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874258\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-21 15:11:25 +0100 (Wed, 21 Mar 2018)\");\n script_cve_id(\"CVE-2018-7187\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for golang FEDORA-2018-c38e40a4bf\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'golang'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"golang on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-c38e40a4bf\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZKVEAK5ZG3B4FJLZVMX3HIQ73RHC4VW\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"golang\", rpm:\"golang~1.9.4~2.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:10:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "description": "It was discovered that there was an arbitrary command execution\nvulnerability in the Go programming language.\n\nThe ", "modified": "2020-01-29T00:00:00", "published": "2018-03-27T00:00:00", "id": "OPENVAS:1361412562310891294", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891294", "type": "openvas", "title": "Debian LTS: Security Advisory for golang (DLA-1294-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891294\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-7187\");\n script_name(\"Debian LTS: Security Advisory for golang (DLA-1294-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-27 00:00:00 +0200 (Tue, 27 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"golang on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in golang version\n2:1.0.2-1.1+deb7u3.\n\nWe recommend that you upgrade your golang packages. The Debian LTS team\nwould like to thank Abhijith PA for preparing this update.\");\n\n script_tag(name:\"summary\", value:\"It was discovered that there was an arbitrary command execution\nvulnerability in the Go programming language.\n\nThe 'go get' implementation did not correctly validate 'import path'\nstatements for '://' which allowed remote attackers to execute arbitrary\nOS commands via a crafted web site.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"golang\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-dbg\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-doc\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-go\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-mode\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-src\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"kate-syntax-go\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vim-syntax-go\", ver:\"2:1.0.2-1.1+deb7u3\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-04T18:46:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6486", "CVE-2018-7187"], "description": "A vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes a vulnerability in go get\n, which could\nresult in the execution of arbitrary shell commands.", "modified": "2019-07-04T00:00:00", "published": "2019-02-01T00:00:00", "id": "OPENVAS:1361412562310704379", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704379", "type": "openvas", "title": "Debian Security Advisory DSA 4379-1 (golang-1.7 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4379-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2019 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704379\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-7187\", \"CVE-2019-6486\");\n script_name(\"Debian Security Advisory DSA 4379-1 (golang-1.7 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-02-01 00:00:00 +0100 (Fri, 01 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4379.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2019 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"golang-1.7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 1.7.4-2+deb9u1.\n\nWe recommend that you upgrade your golang-1.7 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/golang-1.7\");\n script_tag(name:\"summary\", value:\"A vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes a vulnerability in go get\n, which could\nresult in the execution of arbitrary shell commands.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.7\", ver:\"1.7.4-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.7-doc\", ver:\"1.7.4-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.7-go\", ver:\"1.7.4-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.7-src\", ver:\"1.7.4-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-04T18:46:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6486", "CVE-2018-7187", "CVE-2018-6574"], "description": "A vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes two vulnerabilities in go get\n, which\ncould result in the execution of arbitrary shell commands.", "modified": "2019-07-04T00:00:00", "published": "2019-02-01T00:00:00", "id": "OPENVAS:1361412562310704380", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704380", "type": "openvas", "title": "Debian Security Advisory DSA 4380-1 (golang-1.8 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4380-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2019 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704380\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-6574\", \"CVE-2018-7187\", \"CVE-2019-6486\");\n script_name(\"Debian Security Advisory DSA 4380-1 (golang-1.8 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-02-01 00:00:00 +0100 (Fri, 01 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4380.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2019 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"golang-1.8 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 1.8.1-1+deb9u1.\n\nWe recommend that you upgrade your golang-1.8 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/golang-1.8\");\n script_tag(name:\"summary\", value:\"A vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes two vulnerabilities in go get\n, which\ncould result in the execution of arbitrary shell commands.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.8\", ver:\"1.8.1-1+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.8-doc\", ver:\"1.8.1-1+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.8-go\", ver:\"1.8.1-1+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"golang-1.8-src\", ver:\"1.8.1-1+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-04T15:57:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16875", "CVE-2018-7187", "CVE-2018-16874", "CVE-2018-16873"], "description": "The remote host is missing an update for the ", "modified": "2020-06-03T00:00:00", "published": "2019-01-01T00:00:00", "id": "OPENVAS:1361412562310852218", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852218", "type": "openvas", "title": "openSUSE: Security Advisory for containerd (openSUSE-SU-2018:4306-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852218\");\n script_version(\"2020-06-03T08:38:58+0000\");\n script_cve_id(\"CVE-2018-16873\", \"CVE-2018-16874\", \"CVE-2018-16875\", \"CVE-2018-7187\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 08:38:58 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-01-01 04:00:47 +0100 (Tue, 01 Jan 2019)\");\n script_name(\"openSUSE: Security Advisory for containerd (openSUSE-SU-2018:4306-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:4306-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00076.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'containerd'\n package(s) announced via the openSUSE-SU-2018:4306-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for containerd, docker and go fixes the following issues:\n\n containerd and docker:\n\n - Add backport for building containerd (bsc#1102522, bsc#1113313)\n\n - Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce.\n (bsc#1102522)\n\n - Enable seccomp support (fate#325877)\n\n - Update to containerd v1.1.1, which is the required version for the\n Docker v18.06.0-ce upgrade. (bsc#1102522)\n\n - Put containerd under the podruntime slice (bsc#1086185)\n\n - 3rd party registries used the default Docker certificate (bsc#1084533)\n\n - Handle build breakage due to missing 'export GOPATH' (caused by\n resolution of boo#1119634). I believe Docker is one of the only packages\n with this problem.\n\n go:\n\n - golang: arbitrary command execution via VCS path (bsc#1081495,\n CVE-2018-7187)\n\n - Make profile.d/go.sh no longer set GOROOT=, in order to make switching\n between versions no longer break. This ends up removing the need for\n go.sh entirely (because GOPATH is also set automatically) (boo#1119634)\n\n - Fix a regression that broke go get for import path patterns containing\n '...' (bsc#1119706)\n\n Additionally, the package go1.10 has been added.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-1626=1\");\n\n script_tag(name:\"affected\", value:\"containerd, on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"go\", rpm:\"go~1.10.4~lp150.2.7.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go-doc\", rpm:\"go-doc~1.10.4~lp150.2.7.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd\", rpm:\"containerd~1.1.2~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd-ctr\", rpm:\"containerd-ctr~1.1.2~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd-kubic\", rpm:\"containerd-kubic~1.1.2~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd-kubic-ctr\", rpm:\"containerd-kubic-ctr~1.1.2~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker\", rpm:\"docker~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-debuginfo\", rpm:\"docker-debuginfo~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-debugsource\", rpm:\"docker-debugsource~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic\", rpm:\"docker-kubic~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic-debuginfo\", rpm:\"docker-kubic-debuginfo~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic-debugsource\", rpm:\"docker-kubic-debugsource~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic-test\", rpm:\"docker-kubic-test~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic-test-debuginfo\", rpm:\"docker-kubic-test-debuginfo~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-libnetwork\", rpm:\"docker-libnetwork~0.7.0.1+gitr2664_3ac297bc7fd0~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-libnetwork-debuginfo\", rpm:\"docker-libnetwork-debuginfo~0.7.0.1+gitr2664_3ac297bc7fd0~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-libnetwork-kubic\", rpm:\"docker-libnetwork-kubic~0.7.0.1+gitr2664_3ac297bc7fd0~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"<br>docker-libnetwork-kubic-debuginfo\", rpm:\"<br>docker-libnetwork-kubic-debuginfo~0.7.0.1+gitr2664_3ac297bc7fd0~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc\", rpm:\"docker-runc~1.0.0rc5+gitr3562_69663f0bd4b6~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-debuginfo\", rpm:\"docker-runc-debuginfo~1.0.0rc5+gitr3562_69663f0bd4b6~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic\", rpm:\"docker-runc-kubic~1.0.0rc5+gitr3562_69663f0bd4b6~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-debuginfo\", rpm:\"docker-runc-kubic-debuginfo~1.0.0rc5+gitr3562_69663f0bd4b6~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-test\", rpm:\"docker-test~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-test-debuginfo\", rpm:\"docker-test-debuginfo~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go-race\", rpm:\"go-race~1.10.4~lp150.2.7.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go1.10\", rpm:\"go1.10~1.10.7~lp150.2.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go1.10-doc\", rpm:\"go1.10-doc~1.10.7~lp150.2.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"go1.10-race\", rpm:\"go1.10-race~1.10.7~lp150.2.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"golang-github-docker-libnetwork\", rpm:\"golang-github-docker-libnetwork~0.7.0.1+gitr2664_3ac297bc7fd0~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"<br>golang-github-docker-libnetwork-kubic\", rpm:\"<br>golang-github-docker-libnetwork-kubic~0.7.0.1+gitr2664_3ac297bc7fd0~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd-kubic-test\", rpm:\"containerd-kubic-test~1.1.2~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd-test\", rpm:\"containerd-test~1.1.2~lp150.4.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-bash-completion\", rpm:\"docker-bash-completion~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic-bash-completion\", rpm:\"docker-kubic-bash-completion~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-kubic-zsh-completion\", rpm:\"docker-kubic-zsh-completion~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-test\", rpm:\"docker-runc-kubic-test~1.0.0rc5+gitr3562_69663f0bd4b6~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-test\", rpm:\"docker-runc-test~1.0.0rc5+gitr3562_69663f0bd4b6~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-zsh-completion\", rpm:\"docker-zsh-completion~18.06.1_ce~lp150.5.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"golang-packaging\", rpm:\"golang-packaging~15.0.11~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2018-04-16T03:20:36", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "edition": 1, "description": "### Background\n\nGo is an open source programming language that makes it easy to build simple, reliable, and efficient software. \n\n### Description\n\nA vulnerability in Go was discovered which does not validate the import path of remote repositories. \n\n### Impact\n\nRemote attackers, by enticing a user to import from a crafted website, could execute arbitrary commands. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Go users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/go-1.10.1\"", "modified": "2018-04-15T00:00:00", "published": "2018-04-15T00:00:00", "href": "https://security.gentoo.org/glsa/201804-12", "id": "GLSA-201804-12", "title": "Go: Arbitrary code execution", "type": "gentoo", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:24", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "description": "Package : golang\nVersion : 2:1.0.2-1.1+deb7u3\nCVE ID : CVE-2018-7187\n\nIt was discovered that there was an arbitrary command execution\nvulnerability in the Go programming language.\n\nThe &quot;go get&quot; implementation did not correctly validate &quot;import path&quot;\nstatements for &quot;://&quot; which allowed remote attackers to execute arbitrary\nOS commands via a crafted web site.\n\nFor Debian 7 &quot;Wheezy&quot;, this issue has been fixed in golang version\n2:1.0.2-1.1+deb7u3.\n\nWe recommend that you upgrade your golang packages. The Debian LTS team\nwould like to thank Abhijith PA for preparing this update.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "edition": 3, "modified": "2018-02-25T15:59:27", "published": "2018-02-25T15:59:27", "id": "DEBIAN:DLA-1294-1:4E0F9", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201802/msg00029.html", "title": "[SECURITY] [DLA 1294-1] golang security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:58:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6486", "CVE-2018-7187"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4379-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nFebruary 01, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : golang-1.7\nCVE ID : CVE-2018-7187 CVE-2019-6486\n\nA vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes a vulnerability in &quot;go get&quot;, which could\nresult in the execution of arbitrary shell commands.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.7.4-2+deb9u1.\n\nWe recommend that you upgrade your golang-1.7 packages.\n\nFor the detailed security status of golang-1.7 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/golang-1.7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2019-02-01T14:38:32", "published": "2019-02-01T14:38:32", "id": "DEBIAN:DSA-4379-1:C92FB", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00018.html", "title": "[SECURITY] [DSA 4379-1] golang-1.7 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:00:36", "bulletinFamily": "unix", "cvelist": ["CVE-2019-6486", "CVE-2018-7187", "CVE-2018-6574"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4380-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nFebruary 01, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : golang-1.8\nCVE ID : CVE-2018-6574 CVE-2018-7187 CVE-2019-6486\n\nA vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes two vulnerabilities in &quot;go get&quot;, which\ncould result in the execution of arbitrary shell commands.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.8.1-1+deb9u1.\n\nWe recommend that you upgrade your golang-1.8 packages.\n\nFor the detailed security status of golang-1.8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/golang-1.8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 14, "modified": "2019-02-01T14:40:18", "published": "2019-02-01T14:40:18", "id": "DEBIAN:DSA-4380-1:D1988", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00019.html", "title": "[SECURITY] [DSA 4380-1] golang-1.8 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-08T12:48:14", "description": "An update of 'go' packages of Photon OS has been released.", "edition": 4, "published": "2018-08-17T00:00:00", "title": "Photon OS 1.0: Go PHSA-2018-1.0-0123 (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:go", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0123.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111927", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0123. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111927);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:50\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"Photon OS 1.0: Go PHSA-2018-1.0-0123 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'go' packages of Photon OS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-1.0-123\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb133d1e\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7187\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:go\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"go-1.9.4-2.ph1\",\n \"go-debuginfo-1.9.4-2.ph1\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-1.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-17T22:39:39", "description": "An update of the go package has been released.", "edition": 8, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 2.0: Go PHSA-2018-2.0-0034", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:go", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2018-2_0-0034_GO.NASL", "href": "https://www.tenable.com/plugins/nessus/121932", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0034. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121932);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"Photon OS 2.0: Go PHSA-2018-2.0-0034\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the go package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-34.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:go\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"go-1.9.4-2.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"go-debuginfo-1.9.4-2.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T02:55:15", "description": "The remote host is affected by the vulnerability described in GLSA-201804-12\n(Go: Arbitrary code execution)\n\n A vulnerability in Go was discovered which does not validate the import\n path of remote repositories.\n \nImpact :\n\n Remote attackers, by enticing a user to import from a crafted website,\n could execute arbitrary commands.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 22, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-16T00:00:00", "title": "GLSA-201804-12 : Go: Arbitrary code execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:go"], "id": "GENTOO_GLSA-201804-12.NASL", "href": "https://www.tenable.com/plugins/nessus/109056", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201804-12.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109056);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/06/07 13:15:38\");\n\n script_cve_id(\"CVE-2018-7187\");\n script_xref(name:\"GLSA\", value:\"201804-12\");\n\n script_name(english:\"GLSA-201804-12 : Go: Arbitrary code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201804-12\n(Go: Arbitrary code execution)\n\n A vulnerability in Go was discovered which does not validate the import\n path of remote repositories.\n \nImpact :\n\n Remote attackers, by enticing a user to import from a crafted website,\n could execute arbitrary commands.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201804-12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Go users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-lang/go-1.10.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:go\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-lang/go\", unaffected:make_list(\"ge 1.10.1\"), vulnerable:make_list(\"lt 1.10.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Go\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:38:20", "description": "This update for go1.9 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-7187: arbitrary command execution via VCS path\n (boo#1081495)\n\nNon-security changes :\n\n - Update to version 1.9.7\n\n - fixes to the go command and compiler\n\n - minimal support to the go command for the vgo transition", "edition": 16, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-25T00:00:00", "title": "openSUSE Security Update : go1.9 (openSUSE-2018-672)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2018-06-25T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:go", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:go-race", "p-cpe:/a:novell:opensuse:go1.9-race", "p-cpe:/a:novell:opensuse:go1.9"], "id": "OPENSUSE-2018-672.NASL", "href": "https://www.tenable.com/plugins/nessus/110681", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-672.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110681);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"openSUSE Security Update : go1.9 (openSUSE-2018-672)\");\n script_summary(english:\"Check for the openSUSE-2018-672 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for go1.9 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-7187: arbitrary command execution via VCS path\n (boo#1081495)\n\nNon-security changes :\n\n - Update to version 1.9.7\n\n - fixes to the go command and compiler\n\n - minimal support to the go command for the vgo transition\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1081495\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected go1.9 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go-race\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go1.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go1.9-race\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"go-1.9.7-lp150.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"go1.9-1.9.7-lp150.2.4.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"go-race-1.9.7-lp150.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"go1.9-race-1.9.7-lp150.2.4.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"go-1.9.7-37.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"go1.9-1.9.7-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"go-race-1.9.7-37.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"go1.9-race-1.9.7-10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go / go-race / go1.9 / go1.9-race\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:51:31", "description": "This update for go1.9 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-7187: arbitrary command execution via VCS path\n (boo#1081495)\n\nNon-security changes :\n\n - Update to version 1.9.7\n\n - fixes to the go command and compiler\n\n - minimal support to the go command for the vgo transition", "edition": 12, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-27T00:00:00", "title": "openSUSE Security Update : go1.9 (openSUSE-2019-482)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2019-03-27T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:go", "p-cpe:/a:novell:opensuse:go-race", "p-cpe:/a:novell:opensuse:go1.9-race", "p-cpe:/a:novell:opensuse:go1.9"], "id": "OPENSUSE-2019-482.NASL", "href": "https://www.tenable.com/plugins/nessus/123200", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-482.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123200);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"openSUSE Security Update : go1.9 (openSUSE-2019-482)\");\n script_summary(english:\"Check for the openSUSE-2019-482 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for go1.9 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-7187: arbitrary command execution via VCS path\n (boo#1081495)\n\nNon-security changes :\n\n - Update to version 1.9.7\n\n - fixes to the go command and compiler\n\n - minimal support to the go command for the vgo transition\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1081495\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected go1.9 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go-race\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go1.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:go1.9-race\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"go-1.9.7-lp150.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"go1.9-1.9.7-lp150.2.4.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"go-race-1.9.7-lp150.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"go1.9-race-1.9.7-lp150.2.4.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go / go-race / go1.9 / go1.9-race\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:39:30", "description": "An update of the go package has been released.", "edition": 8, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Go PHSA-2018-1.0-0123", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:go", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0123_GO.NASL", "href": "https://www.tenable.com/plugins/nessus/121818", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0123. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121818);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"Photon OS 1.0: Go PHSA-2018-1.0-0123\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the go package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-123.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:go\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"go-1.9.4-2.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"go-debuginfo-1.9.4-2.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"go\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:39:05", "description": "It was discovered that there was an arbitrary command execution\nvulnerability in the Go programming language.\n\nThe 'go get' implementation did not correctly validate 'import path'\nstatements for '://' which allowed remote attackers to execute\narbitrary OS commands via a crafted website.\n\nFor Debian 7 'Wheezy', this issue has been fixed in golang version\n2:1.0.2-1.1+deb7u3.\n\nWe recommend that you upgrade your golang packages. The Debian LTS\nteam would like to thank Abhijith PA for preparing this update.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-02-26T00:00:00", "title": "Debian DLA-1294-1 : golang security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2018-02-26T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:golang-src", "p-cpe:/a:debian:debian_linux:vim-syntax-go", "p-cpe:/a:debian:debian_linux:golang-go", "p-cpe:/a:debian:debian_linux:kate-syntax-go", "p-cpe:/a:debian:debian_linux:golang-doc", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:golang-dbg", "p-cpe:/a:debian:debian_linux:golang-mode", "p-cpe:/a:debian:debian_linux:golang"], "id": "DEBIAN_DLA-1294.NASL", "href": "https://www.tenable.com/plugins/nessus/106985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1294-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(106985);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-7187\");\n\n script_name(english:\"Debian DLA-1294-1 : golang security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was an arbitrary command execution\nvulnerability in the Go programming language.\n\nThe 'go get' implementation did not correctly validate 'import path'\nstatements for '://' which allowed remote attackers to execute\narbitrary OS commands via a crafted website.\n\nFor Debian 7 'Wheezy', this issue has been fixed in golang version\n2:1.0.2-1.1+deb7u3.\n\nWe recommend that you upgrade your golang packages. The Debian LTS\nteam would like to thank Abhijith PA for preparing this update.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/golang\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang-go\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang-mode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kate-syntax-go\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:vim-syntax-go\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"golang\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"golang-dbg\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"golang-doc\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"golang-go\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"golang-mode\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"golang-src\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"kate-syntax-go\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"vim-syntax-go\", reference:\"2:1.0.2-1.1+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:22:43", "description": "Security fix for CVE-2018-7187\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : golang (2018-fe65c14082)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:golang", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-FE65C14082.NASL", "href": "https://www.tenable.com/plugins/nessus/120938", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-fe65c14082.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120938);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-7187\");\n script_xref(name:\"FEDORA\", value:\"2018-fe65c14082\");\n\n script_name(english:\"Fedora 28 : golang (2018-fe65c14082)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2018-7187\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-fe65c14082\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected golang package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"golang-1.10-2.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:20:08", "description": "Arbitrary code execution during 'go get' via C compiler options :\n\nAn arbitrary command execution flaw was found in the way Go's 'go get'\ncommand handled gcc and clang sensitive options during the build. A\nremote attacker capable of hosting malicious repositories could\npotentially use this flaw to cause arbitrary command execution on the\nclient side. (CVE-2018-6574)\n\nThe 'go get' implementation in Go 1.9.4, when the -insecure\ncommand-line option is used, does not validate the import path\n(get/vcs.go only checks for '://' anywhere in the string), which\nallows remote attackers to execute arbitrary OS commands via a crafted\nwebsite. (CVE-2018-7187)", "edition": 24, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-03-27T00:00:00", "title": "Amazon Linux AMI : golang (ALAS-2018-975)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7187", "CVE-2018-6574"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:golang-docs", "p-cpe:/a:amazon:linux:golang-misc", "p-cpe:/a:amazon:linux:golang-src", "p-cpe:/a:amazon:linux:golang-bin", "p-cpe:/a:amazon:linux:golang", "p-cpe:/a:amazon:linux:golang-race", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:golang-tests"], "id": "ALA_ALAS-2018-975.NASL", "href": "https://www.tenable.com/plugins/nessus/108600", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-975.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108600);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/03/04 9:47:28\");\n\n script_cve_id(\"CVE-2018-6574\", \"CVE-2018-7187\");\n script_xref(name:\"ALAS\", value:\"2018-975\");\n\n script_name(english:\"Amazon Linux AMI : golang (ALAS-2018-975)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Arbitrary code execution during 'go get' via C compiler options :\n\nAn arbitrary command execution flaw was found in the way Go's 'go get'\ncommand handled gcc and clang sensitive options during the build. A\nremote attacker capable of hosting malicious repositories could\npotentially use this flaw to cause arbitrary command execution on the\nclient side. (CVE-2018-6574)\n\nThe 'go get' implementation in Go 1.9.4, when the -insecure\ncommand-line option is used, does not validate the import path\n(get/vcs.go only checks for '://' anywhere in the string), which\nallows remote attackers to execute arbitrary OS commands via a crafted\nwebsite. (CVE-2018-7187)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-975.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update golang' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-race\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:golang-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"golang-1.9.4-2.44.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-bin-1.9.4-2.44.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-docs-1.9.4-2.44.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-misc-1.9.4-2.44.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"golang-race-1.9.4-2.44.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-src-1.9.4-2.44.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"golang-tests-1.9.4-2.44.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"golang / golang-bin / golang-docs / golang-misc / golang-race / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T13:42:18", "description": "A vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes a vulnerability in 'go get', which could\nresult in the execution of arbitrary shell commands.", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-02-04T00:00:00", "title": "Debian DSA-4379-1 : golang-1.7 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6486", "CVE-2018-7187"], "modified": "2019-02-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:golang-1.7", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4379.NASL", "href": "https://www.tenable.com/plugins/nessus/121557", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4379. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121557);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/20\");\n\n script_cve_id(\"CVE-2018-7187\", \"CVE-2019-6486\");\n script_xref(name:\"DSA\", value:\"4379\");\n\n script_name(english:\"Debian DSA-4379-1 : golang-1.7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability was discovered in the implementation of the P-521 and\nP-384 elliptic curves, which could result in denial of service and in\nsome cases key recovery.\n\nIn addition this update fixes a vulnerability in 'go get', which could\nresult in the execution of arbitrary shell commands.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/golang-1.7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/golang-1.7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4379\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the golang-1.7 packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 1.7.4-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:golang-1.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"golang-1.7\", reference:\"1.7.4-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"golang-1.7-doc\", reference:\"1.7.4-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"golang-1.7-go\", reference:\"1.7.4-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"golang-1.7-src\", reference:\"1.7.4-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "description": "The Go Programming Language. ", "modified": "2018-03-30T13:27:42", "published": "2018-03-30T13:27:42", "id": "FEDORA:AC0546074A4F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: golang-1.10-2.fc28", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187"], "description": "The Go Programming Language. ", "modified": "2018-03-20T18:25:24", "published": "2018-03-20T18:25:24", "id": "FEDORA:494C2601C687", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: golang-1.9.4-2.fc27", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:37:33", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7187", "CVE-2018-6574"], "description": "**Issue Overview:**\n\nArbitrary code execution during \"go get\" via C compiler options: \nAn arbitrary command execution flaw was found in the way Go&#x27;s &quot;go get&quot; command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. ([CVE-2018-6574 __](<https://access.redhat.com/security/cve/CVE-2018-6574>))\n\nThe \"go get\" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. ([CVE-2018-7187 __](<https://access.redhat.com/security/cve/CVE-2018-7187>))\n\n \n**Affected Packages:** \n\n\ngolang\n\n \n**Issue Correction:** \nRun _yum update golang_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n golang-bin-1.9.4-2.44.amzn1.i686 \n golang-1.9.4-2.44.amzn1.i686 \n \n noarch: \n golang-tests-1.9.4-2.44.amzn1.noarch \n golang-docs-1.9.4-2.44.amzn1.noarch \n golang-src-1.9.4-2.44.amzn1.noarch \n golang-misc-1.9.4-2.44.amzn1.noarch \n \n src: \n golang-1.9.4-2.44.amzn1.src \n \n x86_64: \n golang-race-1.9.4-2.44.amzn1.x86_64 \n golang-1.9.4-2.44.amzn1.x86_64 \n golang-bin-1.9.4-2.44.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-03-21T22:13:00", "published": "2018-03-21T22:13:00", "id": "ALAS-2018-975", "href": "https://alas.aws.amazon.com/ALAS-2018-975.html", "title": "Medium: golang", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}