Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: remote command execution during "go get -u" #29230

Closed
dmitshur opened this issue Dec 13, 2018 · 4 comments
Closed

cmd/go: remote command execution during "go get -u" #29230

dmitshur opened this issue Dec 13, 2018 · 4 comments
Labels
FrozenDueToAge Security
Milestone
Go1.12

Comments

@dmitshur
Copy link
Contributor

dmitshur commented Dec 13, 2018
edited by FiloSottile
Loading

go get -u downloads, updates, and builds source code. It is not supposed to execute arbitrary code.

The go get command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it’s possible to arrange things so that a Git repository is cloned to a folder named .git by using a vanity import path that ends with /.git. If the Git repository root contains a HEAD file, a config file, an objects directory, a refs directory, with some work to ensure the proper ordering of operations, go get -u can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the config file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running go get -u.

Note that forbidding import paths with a .git element might not be sufficient to mitigate this issue, as on certain systems there can be other aliases for VCS state folders.

Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.

This issue is CVE-2018-16873.
@dmitshur dmitshur added this to the Go1.12 milestone Dec 13, 2018
This was referenced Dec 13, 2018
Closed
Closed
@FiloSottile
Copy link
Contributor

Fixed in Go 1.11.3 by 8954add and 5aedc8a.
Fixed in Go 1.10.6 by 90d609b and 7ef6ee2.

@FiloSottile FiloSottile mentioned this issue Dec 13, 2018
Closed
@thaJeztah thaJeztah mentioned this issue Dec 13, 2018
Merged
thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018
@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875)
8afe9f4 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
6b7c093 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/154101 mentions this issue: cmd/go: reject 'get' of paths containing leading dots or unsupported characters

@thaJeztah thaJeztah mentioned this issue Dec 13, 2018
Merged
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/154104 mentions this issue: cmd/go/internal/get: relax pathOK check to allow any letter

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/154102 mentions this issue: cmd/go/internal/get: reject Windows shortnames as path components

thaJeztah added a commit to thaJeztah/golang-cross that referenced this issue Dec 13, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
639c177 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Dec 13, 2018
Merged
thaJeztah added a commit to thaJeztah/golang-cross that referenced this issue Dec 14, 2018
@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875)
af3e6d2 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Dec 14, 2018
Merged
thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 14, 2018
@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875)
fced1ab 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Dec 14, 2018
Merged
thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 14, 2018
@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875)
6c3a10a 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <[email protected]>
gopherbot pushed a commit that referenced this issue Dec 14, 2018
@dmitshur
cmd/go/internal/get: reject Windows shortnames as path components
4ab6fb1 
Updates #29230

Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65
Reviewed-on: https://team-review.git.corp.google.com/c/370571
Reviewed-by: Russ Cox <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/154102
Reviewed-by: Bryan C. Mills <[email protected]>
gopherbot pushed a commit that referenced this issue Dec 14, 2018
@dmitshur
cmd/go/internal/get: relax pathOK check to allow any letter
9c075b7 
This fixes a regression of #18660 with the new path checks.

Updates #29230

Change-Id: I2dd9adab999e7f810e0e746ad8b75ea9622f56e7
Reviewed-on: https://team-review.git.corp.google.com/c/370578
Reviewed-by: Russ Cox <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/154104
Reviewed-by: Bryan C. Mills <[email protected]>
thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
985d53d 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Dec 14, 2018
Merged
thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
6b8b8fe 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
517a30b 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Dec 15, 2018
@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875)
3e10549 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 8afe9f422dc0183ce48e1db09189ccbde634080a
Component: engine
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Dec 15, 2018
@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875)
c86a836 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 6c3a10aaede0cfc54cb5befbb70d6357d08d75b7
Component: cli
@nkovacs nkovacs mentioned this issue Dec 17, 2018
Closed
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Dec 17, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
d77eaad 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 517a30b
Component: packaging
thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 19, 2018
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
deaf6e1 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Dec 19, 2018
Merged
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Dec 19, 2018
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
8698a97 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 6b7c093b0de21d574ce120aee891e60187749174
Component: engine
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jan 8, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
4254022 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: deaf6e13ab067e6794d20ec980b4ae216b65d07c
Component: cli
thaJeztah added a commit to thaJeztah/cli that referenced this issue Mar 4, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
0d239af 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this issue Mar 28, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
9bc199d 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this issue Mar 28, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
02628ab 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
adhulipa pushed a commit to adhulipa/docker that referenced this issue Apr 11, 2019
@thaJeztah @adhulipa
Bump Golang 1.11.3 (CVE-2018-16875)
d3287e7 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this issue Apr 14, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
cb434ae 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this issue May 20, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
4817765 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this issue Jun 14, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
a378a00 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/docker that referenced this issue Jun 20, 2019
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
19d37c9 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 6b7c093)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Jul 8, 2019
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
17565b9 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 517a30b)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jul 24, 2019
@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
73bc01b 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit deaf6e13ab067e6794d20ec980b4ae216b65d07c)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: a378a009541cf2377e6410c28183d7710ad37ed6
Component: cli
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jul 24, 2019
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
b71651c 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 6b7c093b0de21d574ce120aee891e60187749174)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 19d37c9a337e82e0e8ce0ff28271739e8ec78e83
Component: engine
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Aug 7, 2019
@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
19cae16 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 517a30b)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 17565b93d361b1b189962b3e98c431316a7cc628
Component: packaging
@golang golang locked and limited conversation to collaborators Dec 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Security
Projects
None yet
Milestone
Go1.12
Development

No branches or pull requests
3 participants
@FiloSottile @dmitshur @gopherbot