Just for the record, I have requested CVEs to be assigned to these issues yesterday. They got CVE-2017-15041 and CVE-2017-15042, respectively. It is already noted in the issues by rsc.
JC ----- Original Message ----- > From: "Chris Broadfoot" <c...@golang.org> > To: "golang-nuts" <golang-nuts@googlegroups.com> > Sent: Wednesday, October 4, 2017 10:33:32 PM > Subject: [golang-dev] [security] Go 1.8.4 and Go 1.9.1 are released > > Hi gophers, > > Two security-related issues were recently reported. > To address this issue, we have just released Go 1.8.4 and Go 1.9.1. > > We recommend that all users update to one of these releases (if you're not > sure which, choose Go 1.9.1). > > The issues addressed by these releases are: > > By nesting a git checkout inside another version control repository, it was > possible for an attacker to trick the “go get” command into executing > arbitrary code. The go command now refuses to use version control checkouts > found inside other version control systems, with an exception for git > submodules (git inside git). > The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and > https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues. > Thanks to Simon Rawet for the report. > > In the smtp package, PlainAuth is documented as sending credentials only > over authenticated, encrypted TLS connections, but it was changed in Go 1.1 > to also send credentials on non-TLS connections when the remote server > advertises that PLAIN authentication is supported. The change was meant to > allow use of PLAIN authentication on localhost, but it has the effect of > allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now > requires either TLS or a localhost connection before sending credentials, > regardless of what the remote server claims. > This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and > https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues. > Thanks to Stevie Johnstone for the report. > > Downloads are available at https://golang.org/dl for all supported > platforms. > > Cheers, > Chris (on behalf of the Go team) > > -- > You received this message because you are subscribed to the Google Groups > "golang-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-dev+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
