Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in the CGI components resulting in the HTTP_PROXY environment variable being set by the incoming Proxy header. This environment variable was also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.
This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405
The Go team would like to thank Dominic Scheirlinck for coordinating disclosure of this issue across multiple languages and CGI environments. Read more about "httpoxy" here: https://httpoxy.org/
Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354 for details.
Downloads are available at https://golang.org/dl for all supported platforms.
Cheers,
Chris (on behalf of the Go team)