github.com/golang/go is vulnerable to remote code execution (RCE). If custom domains are used, a malicious user can set a domain example.com/proj1
to point to a subversion repository and another domain example.com/proj1/proj2
to point to a git repository. When the go get
command is run, arbitrary commands in the subversion’s .git/hooks/
is executed on the system that ran the command.
www.securityfocus.com/bid/101196
access.redhat.com/errata/RHSA-2017:3463
access.redhat.com/errata/RHSA-2018:0878
access.redhat.com/security/updates/classification/#moderate
github.com/golang/go/issues/22125
golang.org/cl/68022
golang.org/cl/68190
groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
lists.debian.org/debian-lts-announce/2021/03/msg00014.html
lists.debian.org/debian-lts-announce/2021/03/msg00015.html
security.gentoo.org/glsa/201710-23