The "go get" implementation in Go 1.9.4, when the -insecure command-line
option is used, does not validate the import path (get/vcs.go only checks
for "://" anywhere in the string), which allows remote attackers to execute
arbitrary OS commands via a crafted web site.
This is fixed in go-1.10.1.
Arm team, please stabilize.
I have stabilized on amd64 and x86.
@arm please test and mark stable.
@arm team, what is the status of getting this stable?
arm stable, all arches done.
GLSA request filed
@maintainer, please drop the vulnerable versions.
This issue was resolved and addressed in
GLSA 201804-12 at https://security.gentoo.org/glsa/201804-12
by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
Vulnerable versions are removed.
(In reply to William Hubbs from comment #8)
> Vulnerable versions are removed.