|Description||The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
|References||DLA-1294-1, DSA-4379-1, DSA-4380-1|
|Debian Bugs||895663, 895664, 895665|
The information below is based on the following data on fixed versions.
[jessie] - golang <ignored> (Minor issue)