The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - golang: arbitrary command execution via VCS path (CVE-2018-7187)

  - golang: malformed hosts in URLs leads to authorization bypass (CVE-2019-14809)

  - On Darwin, user's trust preferences for root certificates were not honored. If the user had a root     certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a     connection using that root certificate. (CVE-2017-1000097)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

This update for go1.9 fixes the following issues :

Security issues fixed :

  - CVE-2018-7187: arbitrary command execution via VCS path     (boo#1081495)

Non-security changes :

  - Update to version 1.9.7

  - fixes to the go command and compiler

  - minimal support to the go command for the vgo transition

This update for containerd, docker and go fixes the following issues :

containerd and docker :

  - Add backport for building containerd (bsc#1102522,     bsc#1113313)

  - Upgrade to containerd v1.1.2, which is required for     Docker v18.06.1-ce. (bsc#1102522)

  - Enable seccomp support (fate#325877)

  - Update to containerd v1.1.1, which is the required     version for the Docker v18.06.0-ce upgrade.
    (bsc#1102522)

  - Put containerd under the podruntime slice (bsc#1086185) 

  - 3rd party registries used the default Docker certificate     (bsc#1084533)

  - Handle build breakage due to missing 'export GOPATH'     (caused by resolution of boo#1119634). I believe Docker     is one of the only packages with this problem.

go :

  - golang: arbitrary command execution via VCS path     (bsc#1081495, CVE-2018-7187)

  - Make profile.d/go.sh no longer set GOROOT=, in order to     make switching between versions no longer break. This     ends up removing the need for go.sh entirely (because     GOPATH is also set automatically) (boo#1119634)

  - Fix a regression that broke go get for import path     patterns containing '...' (bsc#1119706)

Additionally, the package go1.10 has been added.

This update was imported from the SUSE:SLE-15:Update update project.

An update of the go package has been released.

A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery.

In addition this update fixes two vulnerabilities in 'go get', which could result in the execution of arbitrary shell commands.

A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery.

In addition this update fixes a vulnerability in 'go get', which could result in the execution of arbitrary shell commands.

Security fix for CVE-2018-7187

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for containerd, docker and go fixes the following issues :

containerd and docker :

Add backport for building containerd (bsc#1102522, bsc#1113313)

Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522)

Enable seccomp support on SLE12 (fate#325877)

Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522)

Put containerd under the podruntime slice (bsc#1086185)

3rd party registries used the default Docker certificate (bsc#1084533)

Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem.

go: golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)

Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634)

Fix a regression that broke go get for import path patterns containing '...' (bsc#1119706)

Additionally, the package go1.10 has been added.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201804-12 (Go: Arbitrary code execution)

    A vulnerability in Go was discovered which does not validate the import       path of remote repositories.
  Impact :

    Remote attackers, by enticing a user to import from a crafted website,       could execute arbitrary commands.
  Workaround :

    There is no known workaround at this time.

Arbitrary code execution during 'go get' via C compiler options :

An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2018-6574)

The 'go get' implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for '://' anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted website. (CVE-2018-7187)

It was discovered that there was an arbitrary command execution vulnerability in the Go programming language.

The 'go get' implementation did not correctly validate 'import path' statements for '://' which allowed remote attackers to execute arbitrary OS commands via a crafted website.

For Debian 7 'Wheezy', this issue has been fixed in golang version 2:1.0.2-1.1+deb7u3.

We recommend that you upgrade your golang packages. The Debian LTS team would like to thank Abhijith PA for preparing this update.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
199297	RHEL 7 : golang (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
123200	openSUSE Security Update : go1.9 (openSUSE-2019-482)	Nessus	SuSE Local Security Checks	high
123165	openSUSE Security Update : containerd / docker and go (openSUSE-2019-1044)	Nessus	SuSE Local Security Checks	high
121932	Photon OS 2.0: Go PHSA-2018-2.0-0034	Nessus	PhotonOS Local Security Checks	high
121818	Photon OS 1.0: Go PHSA-2018-1.0-0123	Nessus	PhotonOS Local Security Checks	high
121558	Debian DSA-4380-1 : golang-1.8 - security update	Nessus	Debian Local Security Checks	high
121557	Debian DSA-4379-1 : golang-1.7 - security update	Nessus	Debian Local Security Checks	high
120938	Fedora 28 : golang (2018-fe65c14082)	Nessus	Fedora Local Security Checks	high
120195	SUSE SLED15 / SLES15 Security Update : containerd, docker / go (SUSE-SU-2018:4297-1)	Nessus	SuSE Local Security Checks	high
119952	openSUSE Security Update : containerd / docker and go (openSUSE-2018-1626)	Nessus	SuSE Local Security Checks	high
110681	openSUSE Security Update : go1.9 (openSUSE-2018-672)	Nessus	SuSE Local Security Checks	high
109056	GLSA-201804-12 : Go: Arbitrary code execution	Nessus	Gentoo Local Security Checks	high
108600	Amazon Linux AMI : golang (ALAS-2018-975)	Nessus	Amazon Linux Local Security Checks	high
106985	Debian DLA-1294-1 : golang security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2018-7187

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high

high

high