Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.892592
Category:Debian Local Security Checks
Title:Debian LTS: Security Advisory for golang-1.8 (DLA-2592-1)
Summary:The remote host is missing an update for the 'golang-1.8'; package(s) announced via the DLA-2592-1 advisory.
Description:Summary:
The remote host is missing an update for the 'golang-1.8'
package(s) announced via the DLA-2592-1 advisory.

Vulnerability Insight:
Several vulnerabilities were discovered in the Go programming
language. An attacker could trigger a denial-of-service (DoS), bypasss
access control, and execute arbitrary code on the developer's
computer.

CVE-2017-15041

Go allows 'go get' remote command execution. Using custom
domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the
Subversion repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper
ordering of operations, 'go get' can be tricked into reusing this
Git checkout for the fetch of code from pkg2. If the Subversion
repository's Git checkout has malicious commands in .git/hooks/,
they will execute on the system running 'go get.'

CVE-2018-16873

The 'go get' command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, as it may treat the parent directory as a Git repository
root, containing malicious configuration.

CVE-2018-16874

The 'go get' command is vulnerable to directory traversal when
executed with the import path of a malicious Go package which
contains curly braces (both '{' and '}' characters). The attacker
can cause an arbitrary filesystem write, which can lead to code
execution.

CVE-2019-9741

In net/http, CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.

CVE-2019-16276

Go allows HTTP Request Smuggling.

CVE-2019-17596

Go can panic upon an attempt to process network traffic containing
an invalid DSA public key. There are several attack scenarios,
such as traffic from a client to a server that verifies client
certificates.

CVE-2021-3114

crypto/elliptic/p224.go can generate incorrect outputs, related to
an underflow of the lowest limb during the final complete
reduction in the P-224 field.

Affected Software/OS:
'golang-1.8' package(s) on Debian Linux.

Solution:
For Debian 9 stretch, these problems have been fixed in version
1.8.1-1+deb9u3.

We recommend that you upgrade your golang-1.8 packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2019-9741
BugTraq ID: 107432
http://www.securityfocus.com/bid/107432
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOOVCEPQM7TZA6VEZEEB7QZABXNHQEHH/
https://github.com/golang/go/issues/30794
https://lists.debian.org/debian-lts-announce/2019/04/msg00007.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
RedHat Security Advisories: RHSA-2019:1300
https://access.redhat.com/errata/RHSA-2019:1300
RedHat Security Advisories: RHSA-2019:1519
https://access.redhat.com/errata/RHSA-2019:1519
Common Vulnerability Exposure (CVE) ID: CVE-2021-3114
Debian Security Information: DSA-4848 (Google Search)
https://www.debian.org/security/2021/dsa-4848
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
CopyrightCopyright (C) 2021 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.