Debian 9859 Published by

Updated golang packages has been released for Debian GNU/Linux 7 LTS



Package : golang
Version : 2:1.0.2-1.1+deb7u3
CVE ID : CVE-2018-7187

It was discovered that there was an arbitrary command execution
vulnerability in the Go programming language.

The "go get" implementation did not correctly validate "import path"
statements for "://" which allowed remote attackers to execute arbitrary
OS commands via a crafted web site.

For Debian 7 "Wheezy", this issue has been fixed in golang version
2:1.0.2-1.1+deb7u3.

We recommend that you upgrade your golang packages. The Debian LTS team
would like to thank Abhijith PA for preparing this update.