rpm package
opensuse/go1.9&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/go1.9&distro=openSUSE%20Tumbleweed
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-7187 | Hig | 8.8 | < 1.9.7-11.2 | 1.9.7-11.2 | Feb 16, 2018 | The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | |
| CVE-2018-6574 | Hig | 7.8 | < 1.9.7-11.2 | 1.9.7-11.2 | Feb 7, 2018 | Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | |
| CVE-2017-15042 | Med | 5.9 | < 1.9.7-11.2 | 1.9.7-11.2 | Oct 5, 2017 | An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, | |
| CVE-2017-15041 | Cri | 9.8 | < 1.9.7-11.2 | 1.9.7-11.2 | Oct 5, 2017 | Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository in | |
| CVE-2017-8932 | Med | 5.9 | < 1.9.7-11.2 | 1.9.7-11.2 | Jul 6, 2017 | A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input | |
| CVE-2016-5386 | Hig | 8.1 | < 1.9.7-11.2 | 1.9.7-11.2 | Jul 19, 2016 | The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to | |
| CVE-2016-3959 | Hig | 7.5 | < 1.9.7-11.2 | 1.9.7-11.2 | May 23, 2016 | The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses | |
| CVE-2015-8618 | Hig | 7.5 | < 1.9.7-11.2 | 1.9.7-11.2 | Jan 27, 2016 | The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. | |
| CVE-2014-7189 | — | < 1.9.7-11.2 | 1.9.7-11.2 | Oct 7, 2014 | crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. |
- affected < 1.9.7-11.2fixed 1.9.7-11.2
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
- affected < 1.9.7-11.2fixed 1.9.7-11.2
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
- affected < 1.9.7-11.2fixed 1.9.7-11.2
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement,
- affected < 1.9.7-11.2fixed 1.9.7-11.2
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository in
- affected < 1.9.7-11.2fixed 1.9.7-11.2
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input
- affected < 1.9.7-11.2fixed 1.9.7-11.2
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to
- affected < 1.9.7-11.2fixed 1.9.7-11.2
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses
- affected < 1.9.7-11.2fixed 1.9.7-11.2
The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.
- CVE-2014-7189Oct 7, 2014affected < 1.9.7-11.2fixed 1.9.7-11.2
crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.