CVE-2017-15042

Priority
Description
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before
1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only
be used on network connections secured with TLS. The original
implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and
it was documented to do so. In 2013, upstream issue #5184, this was changed
so that the server may decide whether PLAIN is acceptable. The result is
that if you set up a man-in-the-middle SMTP server that doesn't advertise
STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth
implementation sends the username and password.
Notes
 mdeslaur> Packages built using golang need to be rebuilt once the
 mdeslaur> vulnerability has been fixed. This CVE entry does not
 mdeslaur> list packages that need rebuilding outside of the main
 mdeslaur> repository or the Ubuntu variants with PPA overlays.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):needed
Ubuntu 19.04 (Disco Dingo):needed
Package
Upstream:released (1.8.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 18.10 (Cosmic Cuttlefish):needed
Ubuntu 19.04 (Disco Dingo):needed
Patches:
Upstream:https://go-review.googlesource.com/c/go/+/68023
Package
Upstream:released (1.9.1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.9.4-1ubuntu1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (1.9.4-1ubuntu1)
Ubuntu 19.04 (Disco Dingo):not-affected (1.9.4-1ubuntu1)
Patches:
Upstream:https://go-review.googlesource.com/c/go/+/68210
More Information

Updated: 2019-01-14 21:24:19 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)