We have just released Go 1.11.3 and Go 1.10.6 to address three recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.3).
cmd/go: remote command execution during "go get -u"
The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.
Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.
cmd/go: directory traversal in "go get" via curly braces in import paths
The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.
Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.
crypto/x509: CPU denial of service in chain validation
The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
Thanks to Netflix for discovering and reporting this issue.
dev-lang/go 1.10.6 and 1.11.4 are now in the tree.
I am fine with fast stabilizing them.
dev-lang/go-1.10.7 was just added.
We need to fast stable 1.10.7 and 1.11.3.
I meant 1.11.4.
(In reply to William Hubbs from comment #2)
> dev-lang/go-1.10.7 was just added.
> We need to fast stable 1.10.7 and 1.11.3.
1.11 series has never had stable keywords at all, so it is likely we shall only stabilize 1.10.7
I am fine with going ahead with stabilizing 1.11.4 as well, 1.11.2 has
been in the tree more than 30 days.
as discussed in in irc 1.11.4 will be stabilized alongside with 1.10.7
please stabilize dev-lang/go 1.10.7 and 1.11.4.
The bug has been referenced in the following commit(s):
Author: William Hubbs <firstname.lastname@example.org>
AuthorDate: 2018-12-20 14:44:53 +0000
Commit: William Hubbs <email@example.com>
CommitDate: 2018-12-20 14:45:19 +0000
dev-lang/go: stabilize 1.10.7 and 1.11.4 on amd64 for bug #673234
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Signed-off-by: William Hubbs <firstname.lastname@example.org>
dev-lang/go/go-1.10.7.ebuild | 2 +-
dev-lang/go/go-1.11.4.ebuild | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
GLSA is ready for review
This issue was resolved and addressed in
GLSA 201812-09 at https://security.gentoo.org/glsa/201812-09
by GLSA coordinator Mikle Kolyada (Zlogene).