Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 632408 (CVE-2017-15041, CVE-2017-15042) - <dev-lang/go-1.9.1: multiple vulnerabilities
Summary: <dev-lang/go-1.9.1: multiple vulnerabilities
Alias: CVE-2017-15041, CVE-2017-15042
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2017-09-29 17:15 UTC by William Hubbs
Modified: 2017-10-25 00:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description William Hubbs gentoo-dev 2017-09-29 17:15:16 UTC
Arch teams, please stabilize dev-lang/go-1.9.


Comment 1 Larry the Git Cow gentoo-dev 2017-10-04 22:01:22 UTC
The bug has been referenced in the following commit(s):

commit 7a11bc14b699ad8cd003731d4cda79bec5ec84d1
Author:     William Hubbs <>
AuthorDate: 2017-10-04 22:00:01 +0000
Commit:     William Hubbs <>
CommitDate: 2017-10-04 22:00:01 +0000

    dev-lang/go: 1.9.1 version bump
    Committed straight to stable on amd64 for volnerabilities discussed
    Package-Manager: Portage-2.3.8, Repoman-2.3.3
    RepoMan-Options: --force

 dev-lang/go/Manifest        |   1 +
 dev-lang/go/go-1.9.1.ebuild | 227 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 228 insertions(+)}
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-04 22:26:17 UTC
By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the “go get” command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git).
The issue is tracked as (Go 1.8.4) and (Go 1.9.1). Fixes are linked from the issues.

In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims.
This issue is tracked as (Go 1.8.4) and (Go 1.9.1). Fixes are linked from the issues.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-04 22:53:48 UTC
x86 stable
Comment 4 Stabilization helper bot gentoo-dev 2017-10-04 23:01:03 UTC
An automated check of this bug failed - the following atom is unknown:


Please verify the atom list.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-04 23:11:10 UTC
Stablebot: You should update your repository! :)
Comment 6 Markus Meier gentoo-dev 2017-10-16 18:14:26 UTC
arm stable, all arches done.
Comment 7 Aleksandr Wagner (Kivak) 2017-10-16 18:20:59 UTC
@Maintainer(s): Please clean the vulnerable versions from the tree.

@Security: Please vote on whether a glsa is needed or not.

Gentoo Security Padawan
Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-16 22:06:06 UTC
New GLSA Request filed.

Thank you all
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-10-23 01:04:22 UTC
This issue was resolved and addressed in
 GLSA 201710-23 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-10-23 01:05:00 UTC
re-opened for cleanup.
Comment 11 William Hubbs gentoo-dev 2017-10-23 18:16:13 UTC
All old versions are removed.