Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds

Go 1.11.3 and Go 1.10.6 released with fixes to security issues

Save for later
  • 3 min read
  • 14 Dec 2018

article-image
Yesterday, the Go team released Go 1.11.3 and Go 1.10.6.  The Go team recommends all users to update to one of these releases. If you’re not sure which one to update to, choose Go 1.11.3. These releases have addressed the following security issues:

cmd/go: Remote command execution during "go get -u"


The go get -u  command downloads, updates, and builds source code and is not supposed to execute arbitrary code. With the help of custom domains, it’s possible to get a Git repository cloned to a folder named .git by using a vanity import path that ends with /.git.

If the Git repository root contains a HEAD file, an object directory, a config file, a refsdirectory, then go get -u can be used for considering the parent directory as a repository root, and running Git commands on it. This will help in using the config file in the original Git repository root for its configuration. In case, the config file contains malicious commands, they will execute on the system running go get -u.

cmd/go: Directory traversal in "go get" via curly braces in import paths


The go get command downloads and builds source code. It is strictly not supposed to allow arbitrary filesystem writes. The go get command becomes vulnerable to remote code execution when it is executed with -u flag or with the import path of a malicious Go package, which contains curly braces (both { and } characters). It is only vulnerable in GOPATH mode and not in module mode. The attacker can create an arbitrary filesystem write, which can further lead to code execution.

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime

crypto/x509: CPU denial of service in chain validation


Package crypto/x509 parses and also validates X.509 encoded keys and certificates. It should handle certificate chains which are provided by an attacker with reasonable resource use. This package does not limit the work performed for each chain verification and might help attackers to craft pathological inputs, further leading to a CPU denial of service. The Go TLS servers that accept client certificates and the TLS clients that verify certificates get affected.

The functionality regression in "go get" when executed in GOPATH mode on an import path pattern containing "..."  is not present in the GOPATH workspace. This issue will be resolved in the next releases, Go 1.11.4 and Go 1.10.7.

This update has received a mixed reaction from the users. As few users think that if the Go team should have used context. WithTimeout or even TLSHandshakeTimeout for safety on the old Go. Other users have appreciated the efforts taken by the Go team.

https://twitter.com/Olivier_Poitrey/status/1073362114570416128

To know more about this release, check out the official announcement.

The Golang team has started working on Go 2 proposals

TypeScript 3.2 released with configuration inheritance and more

Haskell is moving to GitLab due to issues with Phabricator