Go before versions 1.10.6 and 1.11.3 is vulnerable to directory traversal.
Pre-announcement: https://groups.google.com/forum/#!msg/golang-announce/D4sE5tGvhe8/2_RCSJ3yBQAJ
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
External Reference: https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0 Upstream Issue: https://golang.org/issue/29231
Acknowledgments: Name: Dmitri Shuralyov (the Go team)
Created golang tracking bugs for this issue: Affects: fedora-all [bug 1659289]
Created golang tracking bugs for this issue: Affects: epel-all [bug 1664332] Created golang:1.10/golang tracking bugs for this issue: Affects: fedora-all [bug 1663381]
Statement: This issue affects the version of golang package in Red Hat Enterprise Linux 7. The golang package, previously available in the Optional channel, will no longer receive updates in Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-deprecated_functionality_in_rhel7#idm139716309923696