Source: gopls Version: 2:0.21.1+ds-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/golang/go/issues/79211 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gopls. CVE-2026-42503[0]: | gopls by default communicates via pipe. However, -port and -listen | flags are supported as means of debugging. If -listen is given a | value without an explicit host (e.g. :8080), or -port is used, gopls | will listen on 0.0.0.0. As a result, users might inadvertently | cause gopls to bind 0.0.0.0. This can allow a malicious party on the | same network to execute code arbitrarily via gopls. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42503 https://www.cve.org/CVERecord?id=CVE-2026-42503 [1] https://github.com/golang/go/issues/79211 [2] https://go-review.googlesource.com/c/tools/+/774381/ [3] https://github.com/golang/tools/commit/90abdab4cf0af205d3d2212c73526b58c97d0bf6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
