Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+ON-PGqthRuygz5OOxoerrmAXfAH063cF34LGYZ2KhnEvmGhg@mail.gmail.com>
Date: Fri, 14 Dec 2018 13:06:44 -0500
From: Dmitri Shuralyov <dmitshur@...ang.org>
To: oss-security@...ts.openwall.com
Cc: Security Officer <security@...ang.org>, Filippo Valsorda <filippo@...ang.org>
Subject: Go security releases 1.11.3 and 1.10.6

Hello,

We have released Go 1.11.3 and Go 1.10.6 to address three recently
reported security issues. You can see an announcement at
https://groups.google.com/d/msg/golang-announce/Kw31K8G7Fi0/z2olKn-QCAAJ.

We are making this posting to oss-security list now that the security
issues are public to follow the policy described at
https://oss-security.openwall.org/wiki/mailing-lists/distros. We
recommend subscribing to the golang-announce list at
https://groups.google.com/d/forum/golang-announce to guarantee
receiving notifications about future Go security releases.

There are three vulnerabilities being addressed by the security release:

• cmd/go: remote command execution during "go get -u"

The "go get" command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, or a package that imports it directly or indirectly.
Specifically, it is only vulnerable in GOPATH mode, but not in module
mode (the distinction is documented at
https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom
domains, it’s possible to arrange things so that a Git repository is
cloned to a folder named .git by using a vanity import path that ends
with "/.git". If the Git repository root contains a HEAD file, a
config file, an objects directory, a refs directory, with some work to
ensure the proper ordering of operations, "go get -u" can be tricked
into considering the parent directory as a repository root, and
running Git commands on it. That will use the config file in the
original Git repository root for its configuration, and if that config
file contains malicious commands, they will execute on the system
running "go get -u".

The issue is CVE-2018-16873 and Go issue https://golang.org/issue/29230.

Thanks to Etienne Stalmans from the Heroku platform security team for
discovering and reporting this issue.

• cmd/go: directory traversal in "go get" via curly braces in import paths

The "go get" command is vulnerable to directory traversal when
executed with the import path of a malicious Go package which contains
curly braces (both '{' and '}' characters). Specifically, it is only
vulnerable in GOPATH mode, but not in module mode (the distinction is
documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The
attacker can cause an arbitrary filesystem write, which can lead to
code execution.

The issue is CVE-2018-16874 and Go issue https://golang.org/issue/29231.

Thanks to ztz of Tencent Security Platform for discovering and
reporting this issue.

• crypto/x509: CPU denial of service in chain validation

The crypto/x509 package does not limit the amount of work performed
for each chain verification, which might allow attackers to craft
pathological inputs leading to a CPU denial of service. Go TLS servers
accepting client certificates and TLS clients verifying certificates
are affected.

The issue is CVE-2018-16875 and Go issue https://golang.org/issue/29233.

Thanks to Netflix for discovering and reporting this issue.

All three vulnerabilities affect Go before 1.10.6, and 1.11.x before 1.11.3.

Thank you,
Dmitri on behalf of the Go team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.