[security] Go 1.11.3 and Go 1.10.6 are released
3,159 views
Skip to first unread message
Dmitri Shuralyov
Dec 13, 2018, 6:02:31 PM12/13/18
to golan...@googlegroups.com
Hi gophers,
We have just released Go 1.11.3 and Go 1.10.6 to address three recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.3).
We are aware of a functionality regression in "go get" when executed in GOPATH mode on an import path pattern containing "..." (e.g., "go get github.com/golang/pkg/..."), when downloading packages not already present in the GOPATH workspace. This is issue golang.org/issue/29241. It will be resolved in the next minor patch releases, Go 1.11.4 and Go 1.10.7, which we plan to release soon. We apologize for any disruption.
We have just released Go 1.11.3 and Go 1.10.6 to address three recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.3).
- cmd/go: remote command execution during "go get -u"
The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.
Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.
- cmd/go: directory traversal in "go get" via curly braces in import paths
The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.
Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.
- crypto/x509: CPU denial of service in chain validation
The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
Thanks to Netflix for discovering and reporting this issue.
Downloads are available at https://golang.org/dl for all supported platforms.
Thank you,
Dmitri on behalf of the Go team
Reply all
Reply to author
Forward
0 new messages