Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go
1.10rc2 allow "go get" remote command execution during source code build, by
leveraging the gcc or clang plugin feature, because -fplugin= and -plugin=
arguments were not blocked.
dev-lang/go-1.9.4 is in the tree and stable on amd64.
please test and mark stable: =dev-lang/go-1.9.4
arm stable, all arches done.
Thank you all, GLSA Request filed.
@Maintainer please proceed to clean up the tree.
@ Maintainer(s): Please cleanup and drop <dev-lang/go-1.9.4!
This issue was resolved and addressed in
GLSA 201803-03 at https://security.gentoo.org/glsa/201803-03
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for pending cleanup.
@Maintainer proceed to remove vulnerable versions.
All versions < 1.9.4 have been removed.