First published: Wed Dec 06 2023(Updated: )
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.20.12 | |
Golang Go | >=1.21.0-0<1.21.5 | |
redhat/golang | <1.20.12 | 1.20.12 |
redhat/golang 1.21.0 | <0 | 0 |
redhat/golang | <1.21.5 | 1.21.5 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~20.04.1 | 1.20.3-1ubuntu0.1~20.04.1 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~22.04.1 | 1.20.3-1ubuntu0.1~22.04.1 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.2 | 1.20.3-1ubuntu0.2 |
ubuntu/golang-1.20 | <1.20.8-1ubuntu0.23.10.1 | 1.20.8-1ubuntu0.23.10.1 |
ubuntu/golang-1.20 | <1.20.12-1 | 1.20.12-1 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu20.04.2 | 1.21.1-1~ubuntu20.04.2 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu22.04.2 | 1.21.1-1~ubuntu22.04.2 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu23.04.2 | 1.21.1-1~ubuntu23.04.2 |
ubuntu/golang-1.21 | <1.21.1-1ubuntu0.23.10.1 | 1.21.1-1ubuntu0.23.10.1 |
ubuntu/golang-1.21 | <1.21.5-1 | 1.21.5-1 |
debian/golang-1.11 | <=1.11.6-1+deb10u4<=1.11.6-1+deb10u7 | |
debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
debian/golang-1.19 | <=1.19.8-2 | |
debian/golang-1.21 | 1.21.10-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.