Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673234 (CVE-2018-16873, CVE-2018-16874, CVE-2018-16875) - <dev-lang/go-{1.10.7,1.11.4}: Multiple vulnerabilities (CVE-2018-{16873,16874,16875})
Summary: <dev-lang/go-{1.10.7,1.11.4}: Multiple vulnerabilities (CVE-2018-{16873,16874...
Status: RESOLVED FIXED
Alias: CVE-2018-16873, CVE-2018-16874, CVE-2018-16875
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://groups.google.com/forum/#!top...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-16 09:37 UTC by Mikle Kolyada (RETIRED)
Modified: 2018-12-21 12:03 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.10.7 amd64 arm x86 dev-lang/go-1.11.4 amd64 arm x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-16 09:37:54 UTC 
We have just released Go 1.11.3 and Go 1.10.6 to address three recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.3).

cmd/go: remote command execution during "go get -u"
The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.

Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.
cmd/go: directory traversal in "go get" via curly braces in import paths
The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.

Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.
crypto/x509: CPU denial of service in chain validation
The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
Thanks to Netflix for discovering and reporting this issue.
Comment 1 William Hubbs gentoo-dev 2018-12-17 17:15:59 UTC 
dev-lang/go 1.10.6 and 1.11.4 are now in the tree.
I am fine with fast stabilizing them.
Comment 2 William Hubbs gentoo-dev 2018-12-17 18:31:31 UTC 
dev-lang/go-1.10.7 was just added.
We need to fast stable 1.10.7 and 1.11.3.
Comment 3 William Hubbs gentoo-dev 2018-12-17 18:32:06 UTC 
I meant 1.11.4.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-17 18:33:58 UTC 
(In reply to William Hubbs from comment #2)
> dev-lang/go-1.10.7 was just added.
> We need to fast stable 1.10.7 and 1.11.3.

1.11 series has never had stable keywords at all, so it is likely we shall only stabilize 1.10.7
Comment 5 William Hubbs gentoo-dev 2018-12-17 18:42:01 UTC 
I am fine with going ahead with stabilizing 1.11.4 as well, 1.11.2 has
been in the tree more than 30 days.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-17 18:49:09 UTC 
as discussed in in irc 1.11.4 will be stabilized alongside with 1.10.7
Comment 7 William Hubbs gentoo-dev 2018-12-18 15:32:13 UTC 
Arch teams,

please stabilize dev-lang/go 1.10.7 and 1.11.4.

Thanks,

William
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-20 01:29:47 UTC 
x86 stable
Comment 9 Larry the Git Cow gentoo-dev 2018-12-20 14:47:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57897bad2d7ac8e0e5cb773f0c1e606f3be0a915

commit 57897bad2d7ac8e0e5cb773f0c1e606f3be0a915
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2018-12-20 14:44:53 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2018-12-20 14:45:19 +0000

    dev-lang/go: stabilize 1.10.7 and 1.11.4 on amd64 for bug #673234
    
    Bug: https://bugs.gentoo.org/673234
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/go-1.10.7.ebuild | 2 +-
 dev-lang/go/go-1.11.4.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-20 18:45:12 UTC 
GLSA is ready for review
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2018-12-21 12:03:57 UTC 
This issue was resolved and addressed in
 GLSA 201812-09 at https://security.gentoo.org/glsa/201812-09
by GLSA coordinator Mikle Kolyada (Zlogene).