CVE-2017-15042

NameCVE-2017-15042
DescriptionAn unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang (PTS)wheezy2:1.0.2-1.1fixed
wheezy (security)2:1.0.2-1.1+deb7u2fixed
jessie2:1.3.3-1vulnerable
golang-1.7 (PTS)stretch1.7.4-2vulnerable
buster1.7.6-1vulnerable
sid1.7.6-2vulnerable
golang-1.8 (PTS)stretch1.8.1-1vulnerable
sid1.8.5-1fixed
golang-1.9 (PTS)buster, sid1.9.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golangsource(unstable)(unfixed)medium
golangsourcewheezy(not affected)
golang-1.7source(unstable)(unfixed)medium
golang-1.8source(unstable)1.8.4-1medium
golang-1.9source(unstable)1.9.1-1medium

Notes

[stretch] - golang-1.8 <ignored> (Minor issue, would require builds of all go packages in stable)
[stretch] - golang-1.7 <ignored> (Minor issue, would require builds of all go packages in stable)
[jessie] - golang <ignored> (Minor issue, would require builds of all go packages in stable)
[wheezy] - golang <not-affected> (Vulnerable code introduced later in version 1.1)
https://github.com/golang/go/issues/22134
https://golang.org/cl/68023
https://golang.org/cl/68210
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

Search for package or bug name: Reporting problems