Security update for go SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0589-1 Final 1 1 2018-03-02T15:17:34Z current 2018-03-02T15:17:34Z 2018-03-02T15:17:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go This update for go fixes the following issues: Security issues fix in version 1.9.4: - CVE-2018-6574: 'go get' remote command execution during source code build (bsc#1080006). Bug fixes: - bsc#1082409: Review dependencies (requires, recommends and supports). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-218 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1080006 SUSE Bug 1080006 https://bugzilla.suse.com/1082409 SUSE Bug 1082409 https://www.suse.com/security/cve/CVE-2018-6574/ SUSE CVE CVE-2018-6574 page SUSE Package Hub 12 go-1.9.4-15.1 go-doc-1.9.4-15.1 go-race-1.9.4-15.1 go1.9-1.9.4-5.1 go1.9-doc-1.9.4-5.1 go1.9-race-1.9.4-5.1 go-1.9.4-15.1 as a component of SUSE Package Hub 12 go-doc-1.9.4-15.1 as a component of SUSE Package Hub 12 go-race-1.9.4-15.1 as a component of SUSE Package Hub 12 go1.9-1.9.4-5.1 as a component of SUSE Package Hub 12 go1.9-doc-1.9.4-5.1 as a component of SUSE Package Hub 12 go1.9-race-1.9.4-5.1 as a component of SUSE Package Hub 12 Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. CVE-2018-6574 SUSE Package Hub 12:go-1.9.4-15.1 SUSE Package Hub 12:go-doc-1.9.4-15.1 SUSE Package Hub 12:go-race-1.9.4-15.1 SUSE Package Hub 12:go1.9-1.9.4-5.1 SUSE Package Hub 12:go1.9-doc-1.9.4-5.1 SUSE Package Hub 12:go1.9-race-1.9.4-5.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-6574.html CVE-2018-6574 https://bugzilla.suse.com/1080006 SUSE Bug 1080006