CVE-2017-15041

Priority
Description
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command
execution. Using custom domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the Subversion
repository includes a Git checkout in its pkg2 directory and some other
work is done to ensure the proper ordering of operations, "go get" can be
tricked into reusing this Git checkout for the fetch of code from pkg2. If
the Subversion repository's Git checkout has malicious commands in
.git/hooks/, they will execute on the system running "go get."
Notes
 mdeslaur> This fix will not require packages to be rebuilt
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:released (1.8.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://go-review.googlesource.com/c/go/+/68190
Package
Upstream:released (1.9.1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.9.4-1ubuntu1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (1.9.4-1ubuntu1)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://go-review.googlesource.com/c/go/+/68022
More Information

Updated: 2019-04-26 14:20:15 UTC (commit 30899e40836d26e1bb5f0b072d31fd87b6cf3bd4)