Arch teams, please stabilize dev-lang/go-1.9.
The bug has been referenced in the following commit(s):
Author: William Hubbs <firstname.lastname@example.org>
AuthorDate: 2017-10-04 22:00:01 +0000
Commit: William Hubbs <email@example.com>
CommitDate: 2017-10-04 22:00:01 +0000
dev-lang/go: 1.9.1 version bump
Committed straight to stable on amd64 for volnerabilities discussed
Package-Manager: Portage-2.3.8, Repoman-2.3.3
dev-lang/go/Manifest | 1 +
dev-lang/go/go-1.9.1.ebuild | 227 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 228 insertions(+)}
By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the “go get” command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
An automated check of this bug failed - the following atom is unknown:
Please verify the atom list.
Stablebot: You should update your repository! :)
arm stable, all arches done.
@Maintainer(s): Please clean the vulnerable versions from the tree.
@Security: Please vote on whether a glsa is needed or not.
Gentoo Security Padawan
New GLSA Request filed.
Thank you all
This issue was resolved and addressed in
GLSA 201710-23 at https://security.gentoo.org/glsa/201710-23
by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup.
All old versions are removed.