[security] Go 1.11.3 and Go 1.10.6 are released

3,160 views
Skip to first unread message

Dmitri Shuralyov

unread,
Dec 13, 2018, 6:02:31 PM12/13/18
to golan...@googlegroups.com
Hi gophers,

We have just released Go 1.11.3 and Go 1.10.6 to address three recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.3).
  • cmd/go: remote command execution during "go get -u"
    The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.
    Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.
  • cmd/go: directory traversal in "go get" via curly braces in import paths
    The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.
    Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.
  • crypto/x509: CPU denial of service in chain validation
    The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
    Thanks to Netflix for discovering and reporting this issue.
Downloads are available at https://golang.org/dl for all supported platforms.

We are aware of a functionality regression in "go get" when executed in GOPATH mode on an import path pattern containing "..." (e.g., "go get github.com/golang/pkg/..."), when downloading packages not already present in the GOPATH workspace. This is issue golang.org/issue/29241. It will be resolved in the next minor patch releases, Go 1.11.4 and Go 1.10.7, which we plan to release soon. We apologize for any disruption.

Thank you,
Dmitri on behalf of the Go team
Reply all
Reply to author
Forward
0 new messages