CVE-2018-6574 (https://nvd.nist.gov/vuln/detail/CVE-2018-6574): Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
dev-lang/go-1.9.4 is in the tree and stable on amd64.
@ Arches, please test and mark stable: =dev-lang/go-1.9.4
x86 stable
arm stable, all arches done.
Thank you all, GLSA Request filed. @Maintainer please proceed to clean up the tree.
@ Maintainer(s): Please cleanup and drop <dev-lang/go-1.9.4!
This issue was resolved and addressed in GLSA 201803-03 at https://security.gentoo.org/glsa/201803-03 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for pending cleanup.
@Maintainer proceed to remove vulnerable versions. Thank you
All versions < 1.9.4 have been removed.