We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.7.4).
The issues addressed by these releases are:
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.
This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.
Downloads are available at https://golang.org/dl for all supported platforms.
It has been updated from:
go1.7.4 0ad8bf4122de7396f771ed12f86934ea3177d6cf
to
go1.7.4 6b36535cf382bce845dd2d272276e7ba350b0c6b
If you built from the go1.7.4 tag at 0ad8b, the version will be incorrectly reported as "go1.7.3".
The binaries hosted at https://golang.org/dl are unaffected.