CVE-2018-7187 (https://nvd.nist.gov/vuln/detail/CVE-2018-7187): The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
This is fixed in go-1.10.1. Arm team, please stabilize. I have stabilized on amd64 and x86.
@arm please test and mark stable.
@arm team, what is the status of getting this stable?
arm stable, all arches done.
GLSA request filed @maintainer, please drop the vulnerable versions.
This issue was resolved and addressed in GLSA 201804-12 at https://security.gentoo.org/glsa/201804-12 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
Vulnerable versions are removed. Thanks, William
(In reply to William Hubbs from comment #8) > Vulnerable versions are removed. > > Thanks, > > William Thanks, William!