NS-SA-2019-0047
2019-07-17 14:56:29
简介
important: golang/git security update
严重级别
important
主题
An update for golang/git is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
详细描述
golang: The Go Programming Language.
git: Git tools for working with bzr repositories.
Security Fix(es):
golang: An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.(CVE-2017-15041)
golang: It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application.(CVE-2017-15042)
golang: An arbitrary command execution flaw was found in the way Go's "go get" command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.(CVE-2018-6574)
golang: bugfix
git: An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine.(CVE-2018-17456)
git: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F8.
影响组件
影响产品
- CGSL MAIN 5.04
- CGSL CORE 5.04
更新包
{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["golang-1.9.4-1.el7.x86_64.rpm","golang-bin-1.9.4-1.el7.x86_64.rpm","golang-docs-1.9.4-1.el7.noarch.rpm","golang-misc-1.9.4-1.el7.noarch.rpm","golang-src-1.9.4-1.el7.noarch.rpm","golang-tests-1.9.4-1.el7.noarch.rpm"],"source":"golang-1.9.4-1.el7.src.rpm"},{"binary":["perl-Git-SVN-1.8.3.1-20.el7.noarch.rpm","git-gnome-keyring-1.8.3.1-20.el7.x86_64.rpm","git-gui-1.8.3.1-20.el7.noarch.rpm","git-hg-1.8.3.1-20.el7.noarch.rpm","git-instaweb-1.8.3.1-20.el7.noarch.rpm","git-p4-1.8.3.1-20.el7.noarch.rpm","git-svn-1.8.3.1-20.el7.x86_64.rpm","gitk-1.8.3.1-20.el7.noarch.rpm","gitweb-1.8.3.1-20.el7.noarch.rpm","perl-Git-1.8.3.1-20.el7.noarch.rpm","emacs-git-1.8.3.1-20.el7.noarch.rpm","emacs-git-el-1.8.3.1-20.el7.noarch.rpm","git-1.8.3.1-20.el7.x86_64.rpm","git-all-1.8.3.1-20.el7.noarch.rpm","git-bzr-1.8.3.1-20.el7.noarch.rpm","git-cvs-1.8.3.1-20.el7.noarch.rpm","git-daemon-1.8.3.1-20.el7.x86_64.rpm","git-debuginfo-1.8.3.1-20.el7.x86_64.rpm","git-email-1.8.3.1-20.el7.noarch.rpm"],"source":"git-1.8.3.1-20.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["golang-misc-1.9.4-1.el7.noarch.rpm","golang-src-1.9.4-1.el7.noarch.rpm","golang-tests-1.9.4-1.el7.noarch.rpm","golang-1.9.4-1.el7.x86_64.rpm","golang-bin-1.9.4-1.el7.x86_64.rpm","golang-docs-1.9.4-1.el7.noarch.rpm"],"source":"golang-1.9.4-1.el7.src.rpm"},{"binary":["perl-Git-1.8.3.1-20.el7.noarch.rpm","perl-Git-SVN-1.8.3.1-20.el7.noarch.rpm","emacs-git-1.8.3.1-20.el7.noarch.rpm","emacs-git-el-1.8.3.1-20.el7.noarch.rpm","git-1.8.3.1-20.el7.x86_64.rpm","git-all-1.8.3.1-20.el7.noarch.rpm","git-bzr-1.8.3.1-20.el7.noarch.rpm","git-cvs-1.8.3.1-20.el7.noarch.rpm","git-daemon-1.8.3.1-20.el7.x86_64.rpm","git-debuginfo-1.8.3.1-20.el7.x86_64.rpm","git-email-1.8.3.1-20.el7.noarch.rpm","git-gnome-keyring-1.8.3.1-20.el7.x86_64.rpm","git-gui-1.8.3.1-20.el7.noarch.rpm","git-hg-1.8.3.1-20.el7.noarch.rpm","git-instaweb-1.8.3.1-20.el7.noarch.rpm","git-p4-1.8.3.1-20.el7.noarch.rpm","git-svn-1.8.3.1-20.el7.x86_64.rpm","gitk-1.8.3.1-20.el7.noarch.rpm","gitweb-1.8.3.1-20.el7.noarch.rpm"],"source":"git-1.8.3.1-20.el7.src.rpm"}]}]}
CGSL MAIN 5.04
- golang-1.9.4-1.el7.src.rpm
- golang-1.9.4-1.el7.x86_64.rpm
- golang-bin-1.9.4-1.el7.x86_64.rpm
- golang-docs-1.9.4-1.el7.noarch.rpm
- golang-misc-1.9.4-1.el7.noarch.rpm
- golang-src-1.9.4-1.el7.noarch.rpm
- golang-tests-1.9.4-1.el7.noarch.rpm
- git-1.8.3.1-20.el7.src.rpm
- perl-Git-SVN-1.8.3.1-20.el7.noarch.rpm
- git-gnome-keyring-1.8.3.1-20.el7.x86_64.rpm
- git-gui-1.8.3.1-20.el7.noarch.rpm
- git-hg-1.8.3.1-20.el7.noarch.rpm
- git-instaweb-1.8.3.1-20.el7.noarch.rpm
- git-p4-1.8.3.1-20.el7.noarch.rpm
- git-svn-1.8.3.1-20.el7.x86_64.rpm
- gitk-1.8.3.1-20.el7.noarch.rpm
- gitweb-1.8.3.1-20.el7.noarch.rpm
- perl-Git-1.8.3.1-20.el7.noarch.rpm
- emacs-git-1.8.3.1-20.el7.noarch.rpm
- emacs-git-el-1.8.3.1-20.el7.noarch.rpm
- git-1.8.3.1-20.el7.x86_64.rpm
- git-all-1.8.3.1-20.el7.noarch.rpm
- git-bzr-1.8.3.1-20.el7.noarch.rpm
- git-cvs-1.8.3.1-20.el7.noarch.rpm
- git-daemon-1.8.3.1-20.el7.x86_64.rpm
- git-debuginfo-1.8.3.1-20.el7.x86_64.rpm
- git-email-1.8.3.1-20.el7.noarch.rpm
CGSL CORE 5.04
- golang-1.9.4-1.el7.src.rpm
- golang-misc-1.9.4-1.el7.noarch.rpm
- golang-src-1.9.4-1.el7.noarch.rpm
- golang-tests-1.9.4-1.el7.noarch.rpm
- golang-1.9.4-1.el7.x86_64.rpm
- golang-bin-1.9.4-1.el7.x86_64.rpm
- golang-docs-1.9.4-1.el7.noarch.rpm
- git-1.8.3.1-20.el7.src.rpm
- perl-Git-1.8.3.1-20.el7.noarch.rpm
- perl-Git-SVN-1.8.3.1-20.el7.noarch.rpm
- emacs-git-1.8.3.1-20.el7.noarch.rpm
- emacs-git-el-1.8.3.1-20.el7.noarch.rpm
- git-1.8.3.1-20.el7.x86_64.rpm
- git-all-1.8.3.1-20.el7.noarch.rpm
- git-bzr-1.8.3.1-20.el7.noarch.rpm
- git-cvs-1.8.3.1-20.el7.noarch.rpm
- git-daemon-1.8.3.1-20.el7.x86_64.rpm
- git-debuginfo-1.8.3.1-20.el7.x86_64.rpm
- git-email-1.8.3.1-20.el7.noarch.rpm
- git-gnome-keyring-1.8.3.1-20.el7.x86_64.rpm
- git-gui-1.8.3.1-20.el7.noarch.rpm
- git-hg-1.8.3.1-20.el7.noarch.rpm
- git-instaweb-1.8.3.1-20.el7.noarch.rpm
- git-p4-1.8.3.1-20.el7.noarch.rpm
- git-svn-1.8.3.1-20.el7.x86_64.rpm
- gitk-1.8.3.1-20.el7.noarch.rpm
- gitweb-1.8.3.1-20.el7.noarch.rpm
CVE
参考