rpm package
suse/go&distro=SUSE Package Hub 15
pkg:rpm/suse/go&distro=SUSE%20Package%20Hub%2015
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-5736 | — | < 1.12-bp150.2.6.1 | 1.12-bp150.2.6.1 | Feb 11, 2019 | runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta | ||
| CVE-2019-6486 | — | < 1.12-bp150.2.6.1 | 1.12-bp150.2.6.1 | Jan 24, 2019 | Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. | ||
| CVE-2018-16875 | — | < 1.12-bp150.2.6.1 | 1.12-bp150.2.6.1 | Dec 14, 2018 | The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates | ||
| CVE-2018-16874 | — | < 1.12-bp150.2.6.1 | 1.12-bp150.2.6.1 | Dec 14, 2018 | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but | ||
| CVE-2018-16873 | — | < 1.12-bp150.2.6.1 | 1.12-bp150.2.6.1 | Dec 14, 2018 | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA | ||
| CVE-2018-7187 | — | < 1.10.4-bp150.2.3.1 | 1.10.4-bp150.2.3.1 | Feb 16, 2018 | The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. |
- CVE-2019-5736Feb 11, 2019affected < 1.12-bp150.2.6.1fixed 1.12-bp150.2.6.1
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta
- CVE-2019-6486Jan 24, 2019affected < 1.12-bp150.2.6.1fixed 1.12-bp150.2.6.1
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
- CVE-2018-16875Dec 14, 2018affected < 1.12-bp150.2.6.1fixed 1.12-bp150.2.6.1
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates
- CVE-2018-16874Dec 14, 2018affected < 1.12-bp150.2.6.1fixed 1.12-bp150.2.6.1
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but
- CVE-2018-16873Dec 14, 2018affected < 1.12-bp150.2.6.1fixed 1.12-bp150.2.6.1
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA
- CVE-2018-7187Feb 16, 2018affected < 1.10.4-bp150.2.3.1fixed 1.10.4-bp150.2.3.1
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.