Go 1.3.2 is released

1,527 views

Skip to first unread message

Andrew Gerrand

unread,

Sep 25, 2014, 9:12:17 PM9/25/14

to golang-nuts

Hi gophers,

We've just released Go version 1.3.2, a minor point release.

This release includes bug fixes to cgo and the crypto/tls package.

https://golang.org/doc/devel/release.html#go1.3.minor

The crpyto/tls fix addresses a security bug that affects programs that use crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes. This issue was discovered internally and there is no evidence of exploitation.

You can download binary and source distributions from the Go web site:

https://golang.org/dl/

To compile from source using a Mercurial checkout, update to the release with "hg update release" and build as usual.

Thanks to everyone who contributed to the release.

Andrew

Andrew Gerrand

unread,

Sep 29, 2014, 12:04:47 AM9/29/14

to golang-nuts

Summary: Go 1.3.2 is broken on Windows.

There have been reports of issues with the 1.3.2 release.

The test failures on Windows are real: Windows users should avoid 1.3.2 and continue to use Go 1.3.1.

The test failures on other systems are benign and may be ignored.

To resolve these issues, we will issue the 1.3.3 release in the next couple of days.

Apologies for the inconvenience.

Andrew

Reply all

Reply to author

Forward

0 new messages