(RHSA-2017:3463) Moderate: go-toolset-7 and go-toolset-7-golang security and bug fix update

2017-12-14T16:22:18
ID RHSA-2017:3463
Type redhat
Reporter RedHat
Modified 2017-12-14T16:24:18

Description

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

  • An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2017-15041)

  • It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application. (CVE-2017-15042)

Bug Fix(es):

  • Previously, the enable script for the go-toolset-7 Software Collection incorrectly set the GOPATH environment variable to a directory that required root permissions for write operations. As a consequence, the go compiler terminated unexpectedly when performing certain commands. The enable script has been changed to handle GOPATH correctly, and the described problem no longer occurs. (BZ#1512013)