-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 13 Mar 2021 15:28:08 +0100 Source: golang-1.8 Binary: golang-1.8-go golang-1.8-src golang-1.8-doc golang-1.8 Architecture: source Version: 1.8.1-1+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: golang-1.8 - Go programming language compiler - metapackage golang-1.8-doc - Go programming language - documentation golang-1.8-go - Go programming language compiler, linker, compiled stdlib golang-1.8-src - Go programming language - source files Changes: golang-1.8 (1.8.1-1+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2017-15041: Go allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." * CVE-2018-16873: the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, as it may treat the parent directory as a Git repository root, containing malicious configuration. * CVE-2018-16874: the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). The attacker can cause an arbitrary filesystem write, which can lead to code execution. * CVE-2019-9741: in net/http, CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. * CVE-2019-16276: Go allows HTTP Request Smuggling. * CVE-2019-17596: Go can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. * CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. Checksums-Sha1: 7a39c57c617c902f771abd501aa14079fbe28b48 2487 golang-1.8_1.8.1-1+deb9u3.dsc 9b658aa9550f7d670432c248b7d92b86b0d67927 55268 golang-1.8_1.8.1-1+deb9u3.debian.tar.xz 5428980882a9e7f30b58fd3ed7b6bc9ae0476f80 6108 golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo Checksums-Sha256: d1f0313e04a375607c4b0bf9eaf90dbe807edefea658bc3a5abdf356fbc1fa42 2487 golang-1.8_1.8.1-1+deb9u3.dsc be9da23009cbcdf4bb1d1a791bbe6162e08ee6ab308382c1a54b04fc2d3696f8 55268 golang-1.8_1.8.1-1+deb9u3.debian.tar.xz 334da7fd343b56e38bc3ca6094d66f003e3aa8ea778477cc647132f722056862 6108 golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo Files: 305adbdf62ed5d42391efc71e2117c20 2487 devel optional golang-1.8_1.8.1-1+deb9u3.dsc 15fea76a9ab45ef8f795d19ab2eb8a1d 55268 devel optional golang-1.8_1.8.1-1+deb9u3.debian.tar.xz 6d3f0d703744cdfadcd053da7cc00cec 6108 devel optional golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBM7DUACgkQDTl9HeUl XjDM2A/+MaxYldKhynOMETx/sdEhkbeOi68me5h/Oh1qf4TPBeEm6ODEiiB6ehFU mDCbN7VAMXnnxpwIAiOahM+eWe2i1EpEC4IOiZFP2QUfosUpeUkJmpQog6ltYh9O XX+4Oil5bRF0z6uwd1w4AQFopMWyHeoyzzg8w6kpdiFIRXAd2g6YpybWXLlH/Zec JrjeGAL/BDgIAt2BMfcSmZJTbKwYqoK4ZMW4w9eKwv+f47+zoNn0Hi5Qvp4QUO9y zLJCXBkj7He8XMCxPWm3sI60rrFpfu5VEdQ7ipnEw4yrCaMINaYaOsJzka/MudUl +CgFgCRQ1+IGVAKQIBrMhP0+Wf71p/ei474OdypCpN3iRmjwi8wgfBHl610orxve Lydiwo6PQf6pu938JBHHwbBPhXq39VDy2eiTLCDRiCP/yMg0yS/ynIhTuo4DrOXf bt4vjOjBdmUoaYD0b0Q+h3Z49Bvwdb45/khTwYeblGkH2cufJRsHRljef3i28/mG SN4uWqDWwpOdVj+l97StvZQlPLZyq099WVVP/4/ISP2ifUPxf9AtXR+aBTIIJDA6 5Rb9ZoIc5l4Oeq8I6n2+e4EmV6qb07B75R39nuTDgp8Sb7/FaKz7o7uE6HjS+CLE uq+bcryz7IvYOTLCDT/qDqE1JGs6rno5FrleYW1CtlV5wqCSeQo= =EMFg -----END PGP SIGNATURE-----