CVE-2023-39320

NameCVE-2023-39320
DescriptionThe go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.21 (PTS)trixie1.21.9-1fixed
sid1.21.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.21source(unstable)1.21.1-1

Notes

https://go.dev/issue/62198
https://github.com/golang/go/commit/d25a935574efd573668d8ce9ea4cfc530bb63ecb (go1.21.1)
https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
Search for package or bug name: Reporting problems