Using go get to fetch a module with the โ.gitโ suffix may unexpectedly
fallback to the insecure โgit://โ protocol if the module is unavailable via
the secure โhttps://โ and โgit+ssh://โ protocols, even if GOINSECURE is not
set for said module. This only affects users who are not using the module
proxy and are fetching modules directly (i.e. GOPROXY=off).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | golang-1.20 | <ย 1.20.3-1ubuntu0.1~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.20 | <ย 1.20.3-1ubuntu0.1~22.04.1 | UNKNOWN |
ubuntu | 23.04 | noarch | golang-1.20 | <ย 1.20.3-1ubuntu0.2 | UNKNOWN |
ubuntu | 23.10 | noarch | golang-1.20 | <ย 1.20.8-1ubuntu0.23.10.1 | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.21 | <ย 1.21.1-1~ubuntu20.04.2 | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.21 | <ย 1.21.1-1~ubuntu22.04.2 | UNKNOWN |
ubuntu | 23.04 | noarch | golang-1.21 | <ย 1.21.1-1~ubuntu23.04.2 | UNKNOWN |
ubuntu | 23.10 | noarch | golang-1.21 | <ย 1.21.1-1ubuntu0.23.10.1 | UNKNOWN |
github.com/golang/go/commit/23c943e5296c6fa3a6f9433bd929306c4dbf2aa3 (go1.21.5)
github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd (go1.20.12)
go.dev/issue/63845
launchpad.net/bugs/cve/CVE-2023-45285
nvd.nist.gov/vuln/detail/CVE-2023-45285
security-tracker.debian.org/tracker/CVE-2023-45285
ubuntu.com/security/notices/USN-6574-1
www.cve.org/CVERecord?id=CVE-2023-45285