We have just released Go 1.16.1 and Go 1.15.9 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.16.1).
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.
Thanks to Sam Whited for reporting this issue.
This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.
This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
The upcoming minor releases of Go 1.16.2 and 1.15.10 will also include the fixes above.
Downloads are available at https://golang.org/dl for all supported platforms.
Note: we are proposing a new security policy for vulnerabilities in Go releases. Join the discussion at golang.org/issue/44918.
Katie on behalf of the Go team