golang-1.9.4-1.el7

エラータID: AXSA:2018-2885:01

Release date: 
Tuesday, April 17, 2018 - 19:44
Subject: 
golang-1.9.4-1.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The golang packages provide the Go programming language compiler.

The following packages have been upgraded to a later upstream version: golang (1.9.4). (BZ#1479095, BZ#1499827)

Security Fix(es):

* golang: arbitrary code execution during "go get" or "go get -d" (CVE-2017-15041)

* golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042)

* golang: arbitrary code execution during "go get" via C compiler options (CVE-2018-6574)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.5 Release Notes linked from the References section.

CVE-2017-15041
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
CVE-2017-15042
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Solution: 

Update packages.

CVEs: 
CVE-2017-15041
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
CVE-2017-15042
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Additional Info: 

N/A

Download: 

SRPMS
  1. golang-1.9.4-1.el7.src.rpm
    MD5: ba97fff9c1dced96258950b0d0e295e7
    SHA-256: e22b802e2b263521fe25b6af54f65714bed406a49eb486ad3c0101141762a150
    Size: 15.56 MB

Asianux Server 7 for x86_64
  1. golang-1.9.4-1.el7.x86_64.rpm
    MD5: e538851fdb6638c3bdb4218953f29963
    SHA-256: 3bfd2fb41f20fcd25689f0bba98daaa1b53b723a477f09df74b3c66f7ef90eb4
    Size: 609.65 kB
  2. golang-bin-1.9.4-1.el7.x86_64.rpm
    MD5: ac387ab537e4b671f07292e1d1010c7e
    SHA-256: 03c4271dbb2e07a3d724a2c2a0e5337c024b0ee49e7bba98342a07e54b21863c
    Size: 48.66 MB
  3. golang-docs-1.9.4-1.el7.noarch.rpm
    MD5: d8a16d0349e83122a0013cc2b613da54
    SHA-256: 276b92468b5cab4a4dc5ab532f9d7c52a7a9ed86513fa0357e14f44c279ee278
    Size: 2.39 MB
  4. golang-misc-1.9.4-1.el7.noarch.rpm
    MD5: 9a135b235beedd4c32cf0c697fe5f272
    SHA-256: 899f6838ed94ebd8d601d2442274b35d2289336a84ebbd08ff8cd9f2d117db48
    Size: 555.23 kB
  5. golang-src-1.9.4-1.el7.noarch.rpm
    MD5: 399b1d68af3f3d592d23d0fec41e6c06
    SHA-256: 44da22245660a590fd0d84dc9402d746f7096b3bbf300b091a3a88163d652f2c
    Size: 5.14 MB
  6. golang-tests-1.9.4-1.el7.noarch.rpm
    MD5: 6d1a41a4741e894c7bb81808c5ef79bb
    SHA-256: 90264386a88462cf575672821f59ef0913e871ed73fde7dd7b5f7592dcde20aa
    Size: 5.33 MB