UBUNTU-CVE-2023-45285

Details

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Affected Packages

Ubuntu:20.04:LTSgolang-1.20

Affected versions:

1.20.3-1ubuntu0.1~20.04

Fixed in:

1.20.3-1ubuntu0.1~20.04.1

Ubuntu:22.04:LTSgolang-1.20

Affected versions:

1.20.3-1ubuntu0.1~22.04

Fixed in:

1.20.3-1ubuntu0.1~22.04.1

Ubuntu:20.04:LTSgolang-1.21

Affected versions:

1.21.1-1~ubuntu20.04.1

Fixed in:

1.21.1-1~ubuntu20.04.2

Ubuntu:22.04:LTSgolang-1.21

Affected versions:

1.21.1-1~ubuntu22.04.1

Fixed in:

1.21.1-1~ubuntu22.04.2

Ubuntu:24.04:LTSgolang-1.21

Affected versions:

1.21.1-11.21.3-11.21.4-1

Fixed in:

1.21.5-1

References

REPORThttps://github.com/golang/go/commit/23c943e5296c6fa3a6f9433bd929306c4dbf2aa3 REPORThttps://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd REPORThttps://go.dev/issue/63845 REPORThttps://ubuntu.com/security/CVE-2023-45285 REPORThttps://ubuntu.com/security/notices/USN-6574-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2023-45285

UBUNTU-CVE-2023-45285

Details

Affected Packages

References

CVSS Analysis

Related

Ecosystems

Timeline