[security] Go 1.16.1 and Go 1.15.9 are released

[Katie Hockman]

Hi gophers,

We have just released Go 1.16.1 and Go 1.15.9 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.16.1).

• encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

• archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.

The upcoming minor releases of Go 1.16.2 and 1.15.10 will also include the fixes above.

Downloads are available at https://golang.org/dl for all supported platforms.

Note: we are proposing a new security policy for vulnerabilities in Go releases. Join the discussion at golang.org/issue/44918.

Thank you,

Katie on behalf of the Go team

[Anthony Martin]

Katie Hockman <ka...@golang.org> once said:
> The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
> containing files that start with “../”.
>
> This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.

Should I submit a CVE request for the power switch on my
server? Prodding it with invalid digits "allows an attacker
to cause a denial of service".

Kidding aside, I support Fillipo's proposal to exclude low
severity issues from these unscheduled security releases.

https://github.com/golang/go/issues/44918

Cheers,
Anthony