VYPR

rpm package

opensuse/go1.9&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/go1.9&distro=openSUSE%20Tumbleweed

Vulnerabilities (9)

  • CVE-2018-7187HigFeb 16, 2018
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

  • CVE-2018-6574HigFeb 7, 2018
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

  • CVE-2017-15042MedOct 5, 2017
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement,

  • CVE-2017-15041CriOct 5, 2017
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository in

  • CVE-2017-8932MedJul 6, 2017
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input

  • CVE-2016-5386HigJul 19, 2016
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to

  • CVE-2016-3959HigMay 23, 2016
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses

  • CVE-2015-8618HigJan 27, 2016
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.

  • CVE-2014-7189Oct 7, 2014
    affected < 1.9.7-11.2fixed 1.9.7-11.2

    crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.